Roxen.git / server / modules / tags / session_tag.pike

version» Context lines:

Roxen.git/server/modules/tags/session_tag.pike:1:   // This is a roxen module. Copyright © 2001 - 2009, Roxen IS.   //      #define _error id->misc->defines[" _error"]   //#define _extra_heads id->misc->defines[" _extra_heads"]      #include <module.h>   inherit "module";    - constant cvs_version = "$Id: session_tag.pike,v 1.31 2012/04/17 12:11:32 erikd Exp $"; + constant cvs_version = "$Id$";   constant thread_safe = 1;   constant module_type = MODULE_TAG;   constant module_name = "Tags: Session tag module";   constant module_doc = #"\   This module provides the session tag which provides a variable scope   where user session data can be stored.";      protected string shared_db;   protected int db_ok;   
Roxen.git/server/modules/tags/session_tag.pike:158:    cache.clear_session(args->id, shared_db);    }    }   }      class TagForceSessionID {    inherit RXML.Tag;    constant name = "force-session-id";    constant flags = RXML.FLAG_EMPTY_ELEMENT;    +  mapping(string:RXML.Type) opt_arg_types = ([ +  "secure":RXML.t_text(RXML.PEnt), +  "httponly":RXML.t_text(RXML.PEnt), +  ]); +     class Frame {    inherit RXML.Frame;       array do_enter(RequestID id) {    if( query("use-prestate") ) {    int prestate = sizeof(filter(id->prestate,    lambda(string in) {    return has_prefix(in, "RoxenUserID");    } ));   
Roxen.git/server/modules/tags/session_tag.pike:187:    mapping r = Roxen.http_redirect(id->not_query + path_info, id, 0,    id->real_variables);    if (r->error)    RXML_CONTEXT->set_misc (" _error", r->error);    if (r->extra_heads)    RXML_CONTEXT->extend_scope ("header", r->extra_heads);       // Don't trust that the user cookie setting is turned on. The effect    // might be that the RoxenUserID cookie is set twice, but that is    // not a problem for us. -  id->add_response_header( "Set-Cookie", Roxen.http_roxen_id_cookie(session_id) ); +  // NB: Inlined call of Roxen.http_roxen_id_cookie() below. +  Roxen.set_cookie(id, "RoxenUserID", session_id, 3600*24*365*2, +  UNDEFINED, "/", args->secure, args->httponly);    id->prestate = orig_prestate;    return 0;    }       // If there is both an ID cookie and a session prestate, then the -  // user do accept cookies, and there is no need for the session +  // user does accept cookies, and there is no need for the session    // prestate. Redirect back to the page, but without the session    // prestate.    if(id->cookies->RoxenUserID && prestate) {    multiset orig_prestate = id->prestate;    id->prestate = filter(id->prestate,    lambda(string in) {    return !has_prefix(in, "RoxenUserID");    } );    mapping r = Roxen.http_redirect(id->not_query + path_info, id, 0,    id->real_variables);    id->prestate = orig_prestate;    if (r->error)    RXML_CONTEXT->set_misc (" _error", r->error);    if (r->extra_heads)    RXML_CONTEXT->extend_scope ("header", r->extra_heads);    return 0;    }    } else {    if ( !id->cookies->RoxenUserID ) {    string session_id = roxen->create_unique_id(); -  id->add_response_header( "Set-Cookie", Roxen.http_roxen_id_cookie( session_id ) ); +  // NB: Inlined call of Roxen.http_roxen_id_cookie() below. +  Roxen.set_cookie(id, "RoxenUserID", session_id, 3600*24*365*2, +  UNDEFINED, "/", args->secure, args->httponly);    id->cookies->RoxenUserID = session_id;    return 0;    }    }    }    }   }         // --- Documentation ------------------------------------------
Roxen.git/server/modules/tags/session_tag.pike:237: Inside #if defined(manual)
  #ifdef manual   constant tagdoc = ([    "session":#"<desc type='cont'><p>Creates a session bound scope. The session is   identified by a session key, given as an argument to the session tag.   The session key could be e.g. a value generated by   <ent>roxen.unique-id</ent> which is then transported by form   variables. An alternative which often is more convenient is to use the   variable client.session (provided by this module) together with the   <tag>force-session-id</tag> tag and the feature to set unique browser   id cookies in the http protocol module (located under the server ports - tab).</p></desc> + tab).</p> + <p>The following fragment sets up a new session with a variable in it</p> + <ex-box> +  <!-- Force a session ID if one doesn't exist --> +  <force-session-id /> +  <session id='client.session' scope='mysession'> +  <!-- +  Our current scope is now the 'mysession' scope. Any variables +  created in this scope will be accessible wherever the same +  session is set up at a later stage. +  -->    -  +  <!-- Create a variable in the scope --> +  <set variable='_.message'>Hello World!</set> +  +  Variable 'message' in the scope 'mysession' is now created in session id &client.session;:<br/> +  &_.message; +  +  </session> + </ex-box> + <p>And the following fragment uses the same variable in another page</p> + <ex-box> +  <!-- Make sure things are not over cached --> +  <nocache> +  <!-- Force a session ID if one doesn't exist --> +  <force-session-id /> +  +  <session id='client.session' scope='mysession'> +  <!-- +  Inside this container, we now have access to all the +  variables from the mysession scope again +  --> +  +  Variable 'message' in the scope 'mysession' in session id &client.session;:<br/> +  &mysession.message; +  </session> +  </nocache> + </ex-box> + </desc> +    <attr name='id' value='string' required='1'><p>The key that identifies   the session. Could e.g. be a name, an IP adress, a cookie or the value   of the special variable client.session provided by this module (see   above).</p></attr>      <attr name='life' value='number' default='900'><p>Determines how many   seconds the session is guaranteed to persist on the server side.</p>      <p>If the module isn't configured to use a shared database, then   values over 900 means that the session variables will be moved to a
Roxen.git/server/modules/tags/session_tag.pike:301: Inside #if defined(manual)
   for that tag).</p></item>   </list>   <p>Note that the Session tag module must be loaded for this entity to exist.</p></desc>",       // ------------------------------------------------------------       "force-session-id":#"<desc tag='tag'><p><short>Forces a session id to be set in the variable <ent>client.session</ent>.</short></p>   <p>Depending on the settings of this module, there are two ways the session cookie is set:</p>   <list type='ul'>    <item> -  <p><b>Default</b><p>If no RoxenUserID cookie exists, headers to set the cookie +  <p><b>Default</b></p> +  <p>If no RoxenUserID cookie exists, headers to set the cookie    is generated. The client.session variable is set and usable immediately during    the request from then on. If the client do not support cookies or has cookies turned    off, each request the force-session-id tag is used, the session key will have a    different value.</p></item>    <item><p><b>Deprecated</b></p>    <p>If no RoxenUserID cookie exist, a redirect is made to the same page with   a prestate containing a newly generated session key together with a Set-Cookie   header with the same key as value. The prestate is used if the cookie cannot be set. If both the RoxenUserID cookie and the session prestate is set, it redirects back to the same page without any prestate. I.e. two redirects for client that supports cookies, and one redirect for clients that don't. Also note that the tag itself does not stop the RXML parser during these requests the redirects are made. This is why it is deprecated; the fallback only works as long as the prestate exists, secondly the search engines will have two urls containing the same content due to the redirects.</p></item>    </list>   
Roxen.git/server/modules/tags/session_tag.pike:351: Inside #if defined(manual)
   <else>    Your browser do not support cookies.    </else>    </if>    <else>    <set-cookie name=\"testing_cookie\" value=\"1\"/>    <redirect to=\"&page.path;?test-cookie=1\"/>    </else>   </nocache>   </ex-box> - </desc>", + </desc>    -  + <attr name='secure'> +  <p>If this attribute is present the session cookie will be set with the Secure +  attribute. The Secure flag instructs the user agent to use only (unspecified) +  secure means to contact the origin server whenever it sends back the session +  cookie. If the browser supports the secure flag, it will not send the session +  cookie when the request is going to an HTTP page.</p> + </attr> +  + <attr name='httponly'> +  <p>If this attribute is present the session cookie will be set with +  the HttpOnly attribute. If the browser supports the HttpOnly flag, +  the session cookie will be secured from being accessed by a client +  side script.</p> + </attr> + ", +    ]);   #endif