RWT: Cookies
[1/17] from: maarten::koopmans::surfnet::nl at: 3-Mar-2003 19:41
REBOL
[
Title: "Logic to set and get HTTP cookies"
]
cookies: context
[
data: copy []
url-encode: func
[
{Replaces characters that are not allowed in URLs by their url-encoded
values.}
val [string!]
/local illegal-chars lval
]
[
lval: copy val
illegal-chars: {+%;/?:@= "<>#{}|\^~[]`}
foreach char illegal-chars
[
replace/all lval char join "%" enbase/base to-string char 16
]
return lval
]
url-decode: func
[
val [string!]
/local illegal-chars lval
]
[
lval: copy val
illegal-chars: {+%;/?:@= "<>#{}|\^~[]`}
foreach char illegal-chars
[
replace/all lval join "%" enbase/base to-string char 16 char
]
return lval
]
to-GMT-idate: func
[
"Returns a standard GMT-based Internet date string."
date [date!]
/local str GMT-date
]
[
str: copy {GMT}
GMT-date: date - date/zone
head insert str reform
[
pick ["Mon," "Tue," "Wed," "Thu," "Fri," "Sat," "Sun,"]
GMT-date/weekday
GMT-date/day
pick [ "Jan" "Feb" "Mar" "Apr" "May" "Jun" "Jul" "Aug" "Sep"
"Oct" "Nov" "Dec" ] GMT-date/month
GMT-date/year GMT-date/time ""
]
]
init: func
[
{Reads cookies from the HTTP header.}
/local cookies rule name val
]
[
data: copy []
if cookies: select system/options/cgi/other-headers "HTTP_COOKIE"
[
rule: [ copy name to "=" "=" [ copy val to ";" "; " | copy val to
end ]
(append data reduce [ name url-decode val ])]
parse cookies [ any rule ]
]
;write/append %/tmp/log rejoin [ cookies newline ]
]
set-cookie: func
[
{By default, cookie expires at end of session, path is /, domain is
server, and not secure.}
name [string!] "The cookie's name"
value [string!] "The cookie's value"
expires [date! none!] "Date, should also include time"
path [string! none!] "Path in which cookie should be returned"
domain [string! none!] "Your server or domain"
secure [logic! none!] "Return only over secure channels"
]
[
prin rejoin [{Set-Cookie:} name {=} url-encode value {; }]
all [expires prin rejoin [{expires=} to-GMT-idate expires {; }]]
all [path prin rejoin [{path=} path {; }]]
all [domain prin rejoin [{domain=} domain {; }]]
all [secure prin {secure}]
prin {^/}
]
get-cookie: func
[
{Returns the value of a cookie. Return none if the cookie is not set.}
name [string!] {Name of the cookie.}
]
[
select data name
]
]
[2/17] from: petr:krenzelok:trz:cz at: 4-Mar-2003 16:15
Hello Maarten,
I would like to see following function getting into your cookies module.
You had it included with previous cookie handling version, but now I
can't see it. However - I found out Windows timer granularity is not
that great and I got two consecutive generate-ID functions generating
identical ID. Then I found out, that my assumption of checksum/secure
randomizing result was probably wrong. So I added random/secure and I
hope now we will really get unique-enough IDs ... of course I would like
others to comment, as I am no cryptography guru :-)
generate-ID: func [/local t][
t: mold checksum/secure mold now/time/precise
random/secure copy/part at t 3 ((length? t) - 3)
]
cheers,
-pekr-
[3/17] from: maarten:koopmans:surfnet:nl at: 4-Mar-2003 20:22
1) Add if you like and submit the changes back to me as the GPL requires.
2) I don't feel it belongs there: it has nothing to do with cookies.
--Maarten
Petr Krenzelok wrote:
[4/17] from: hallvard:ystad:helpinhand at: 4-Mar-2003 21:52
Very nice. But does it handle HTTP_COOKIE2 ?
~H
Dixit Maarten Koopmans (19.41 03.03.2003):
[5/17] from: petr:krenzelok:trz:cz at: 5-Mar-2003 8:52
Hallvard Ystad wrote:
>Very nice. But does it handle HTTP_COOKIE2 ?
>
I found no satisfactory resources for better understanding of what
HTTP_COOKIE2 is all about. Could you please post any links or short
explanation?
Thanks a lot,
-pekr-
[6/17] from: rebol:laurent-chevalier at: 5-Mar-2003 8:24
Hi Petr,
I'm using this function to generate unique and secure session ID in my
rsp.cgi :
build-id: has [ id ][
random/seed join now/precise either config/log-path [ checksum read
config/log-path ][ checksum to-string now/precise ]
until [
id: make string! (config/session-key-length + 5)
loop config/session-key-length [ append id first random
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
]
not exists? to-file rejoin [config/session-dir id ext]
]
id
]
Note the definition of a unique seed with random/seed to avoid
repetition of ID.
I'm getting entropy that to checksum read configl/log-path that depends
on the users of the service and so can be guess by any hacker.
See the code and documentation at http://www.shlik.org/rsp
Regards,
Laurent
Maarten Koopmans wrote:
[7/17] from: petr:krenzelok:trz:cz at: 5-Mar-2003 11:30
Laurent Chevalier wrote:
> Hi Petr,
> I'm using this function to generate unique and secure session ID in my
<<quoted lines omitted: 14>>
> I'm getting entropy that to checksum read configl/log-path that
> depends on the users of the service and so can be guess by any hacker.
Are you sure hacker has any chance to guess the sequence? I find your
code a bit complicated for understanding do you think:
generate-id: func [/local t][
t: mold checksum/secure mold now/time/precise
random/secure copy/part at t 3 ((length? t) - 3)
]
IIRC in some earlier discussion someone stated that checksum/secure is
securely enough ... the only problem I got is - I was able to receive
the same now/time/precise values ... maybe of low Windows timer
granularity ... so I added random/secure and I can't believe a) someone
can guess the mechanism b) I can obtain two identical identifiers which
I want to use for login to system ...
cheers,
-pekr-
[8/17] from: rebol:laurent-chevalier at: 5-Mar-2003 13:00
Hi Petr,
I wrote a bit quickly this morning and I've swallowed some words. I
wanted to say that the entropy provided by the config/log-path file
ensures that a hacker can not guess the initial seed of the random
generator.
If you use time and if time is not precise enough, then you may be
vulnerable to brute force attacks, but I agree with you the risks are
rather low.
Moreover, you need to initialize the random generator each time with a
different random/seed to avoid always using the same random sequence.
IMHO, if you want to keep things simple, I think this would be a bit
more secure :
random/seed to-string now/precise
id: copy ""
loop 30 [ append id first random "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ]
id
Regards,
Laurent
Petr Krenzelok wrote:
> Laurent Chevalier wrote:
>> Hi Petr,
<<quoted lines omitted: 39>>
>> Regards,
>> Laurent
--
Laurent
http://www.shlik.org
[9/17] from: cedricg:bluewin:ch at: 5-Mar-2003 13:34
why not :
id: copy ""
loop 30 [
randow/now to-string now/precise
append id first random "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
]
?
Le 5.03.2003, Laurent Chevalier a =E9crit :
[10/17] from: petr:krenzelok:trz:cz at: 5-Mar-2003 13:34
Laurent Chevalier wrote:
> Hi Petr,
> I wrote a bit quickly this morning and I've swallowed some words. I
<<quoted lines omitted: 12>>
> loop 30 [ append id first random "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ]
> id
OK, thanks - then only one question remains for me - what is
random/secure option good for? Maybe it restart randomizer and even does
some more things to ensure randomizer is "secure" enough?
-pekr-
[11/17] from: rotenca:telvia:it at: 5-Mar-2003 14:12
Hi,
> Moreover, you need to initialize the random generator each time with a
> different random/seed to avoid always using the same random sequence.
<<quoted lines omitted: 4>>
> loop 30 [ append id first random "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ]
> id
Perhaps could help:
randomize: has [seed] [
seed: now/precise
until [seed <> now/precise]
random/seed now/precise
seed: none
]
---
Ciao
Romano
[12/17] from: lmecir:mbox:vol:cz at: 5-Mar-2003 15:00
Hi Pekr,
> OK, thanks - then only one question remains for me - what is
> random/secure option good for? Maybe it restart randomizer and even does
> some more things to ensure randomizer is "secure" enough?
no, actually there are two different generators: RANDOM and RANDOM/SECURE. They both
use the same seed, /SECURE generator is slower, and its quality is higher, i.e. its statistical
properties are better.
HTH
-L
[13/17] from: g:santilli:tiscalinet:it at: 5-Mar-2003 14:36
Hi Petr,
On Wednesday, March 5, 2003, 1:34:47 PM, you wrote:
PK> OK, thanks - then only one question remains for me - what is
PK> random/secure option good for? Maybe it restart randomizer and even does
PK> some more things to ensure randomizer is "secure" enough?
RANDOM/SECURE uses a different algorithm to generate the random
sequence. The one used by RANDOM/SECURE is "much more random" than
the one used by plain RANDOM (which is faster).
Regards,
Gabriele.
--
Gabriele Santilli <[g--santilli--tiscalinet--it]> -- REBOL Programmer
Amigan -- AGI L'Aquila -- REB: http://web.tiscali.it/rebol/index.r
[14/17] from: hallvard:ystad:helpinhand at: 9-Mar-2003 13:20
Hi Maarten,
Don't you think, within your cookies context, that
illegal-chars: {+%;/?:@= "<>#{}|\^~[]`}
should really be
illegal-chars: {%+;/?:@= "<>#{}|\^~[]`}
So that a '+' won't be encoded as '%252B'?
~H
[15/17] from: maarten:koopmans:surfnet:nl at: 11-Mar-2003 8:23
You may be right, have you tried it?
--Maarten
Hallvard Ystad wrote:
[16/17] from: hallvard:ystad:helpinhand at: 11-Mar-2003 14:37
Yes, and I had to do the change for it to wrok properly.
~H
Dixit Maarten Koopmans <[maarten--koopmans--surfnet--nl]> (Tue,
11 Mar 2003 08:23:25 +0100):
[17/17] from: maarten:koopmans:surfnet:nl at: 11-Mar-2003 16:26
Thanks for supplying the patch then ;-)
--Maarten
Hallvard Ystad wrote:
Notes
- Quoted lines have been omitted from some messages.
View the message alone to see the lines that have been omitted