blob: a85e4fc66bca7a007d3641234ca7530eed1f3f7b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
# Copyright (C) 2014 Andrew Murrell
# Copyright (C) 2014 Davis Webb
# Copyright (C) 2014 Guntas Grewal
# Copyright (C) 2014 Luke Shumaker
# Copyright (C) 2014 Nathaniel Foy
# Copyright (C) 2014 Tomer Kimia
#
# This file is part of Leaguer.
#
# Leaguer is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Leaguer is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the Affero GNU General Public License
# along with Leaguer. If not, see <http://www.gnu.org/licenses/>.
class Session < ActiveRecord::Base
belongs_to :user
def owned_by?(tuser)
self.user == tuser
end
##
# Create a random remember token for the user. This will be
# changed every time the user creates a new session.
#
# If you want this value, hang on to it; the raw value is
# discarded afterward.
#
# By changing the cookie every new session, any hijacked sessions
# (where the attacker steals a cookie to sign in as a certain
# user) will expire the next time the user signs back in.
#
# The random string is of length 16 composed of A-Z, a-z, 0-9
# This is the browser's cookie value.
def create_token()
t = SecureRandom.urlsafe_base64
self.token = Session.hash_token(t)
t
end
##
# Encrypt the remember token.
# This is the encrypted version of the cookie stored on
# the database.
#
# The reasoning for storing a hashed token is so that even if
# the database is compromised, the attacker won't be able to use
# the remember tokens to sign in.
def Session.hash_token(token)
# SHA-1 (Secure Hash Algorithm) is a US engineered hash
# function that produces a 20 byte hash value which typically
# forms a hexadecimal number 40 digits long.
# The reason I am not using the Bcrypt algorithm is because
# SHA-1 is much faster and I will be calling this on
# every page a user accesses.
#
# https://en.wikipedia.org/wiki/SHA-1
Digest::SHA1.hexdigest(token.to_s)
end
end
|