[bknr-cvs] edi changed trunk/thirdparty/hunchentoot/ - bknr-cvs@common-lisp.net - mailman3.common-lisp.net

11 Feb 2009

Revision: 4240
Author: edi
URL: http://bknr.net/trac/changeset/4240
Take care of session secret
U   trunk/thirdparty/hunchentoot/acceptor.lisp
U   trunk/thirdparty/hunchentoot/packages.lisp
U   trunk/thirdparty/hunchentoot/session.lisp
U   trunk/thirdparty/hunchentoot/specials.lisp
U   trunk/thirdparty/hunchentoot/util.lisp
Modified: trunk/thirdparty/hunchentoot/acceptor.lisp
===================================================================

--- trunk/thirdparty/hunchentoot/acceptor.lisp	2009-02-11 21:19:33 UTC (rev 4239)
+++ trunk/thirdparty/hunchentoot/acceptor.lisp	2009-02-11 21:44:43 UTC (rev 4240)
@@ -182,6 +182,11 @@
;; general implementation
+(defmethod start :before ((acceptor acceptor))
+  (unless (boundp '*session-secret*)
+    (hunchentoot-warn "Session secret is unbound.  Using Lisp's RANDOM function to initialize it.")
+    (reset-session-secret)))
+
 (defmethod start ((acceptor acceptor))
   (start-listening acceptor)
   (let ((connection-dispatcher (acceptor-connection-dispatcher acceptor)))
Modified: trunk/thirdparty/hunchentoot/packages.lisp
===================================================================
--- trunk/thirdparty/hunchentoot/packages.lisp	2009-02-11 21:19:33 UTC (rev 4239)
+++ trunk/thirdparty/hunchentoot/packages.lisp	2009-02-11 21:44:43 UTC (rev 4240)
@@ -38,7 +38,8 @@
   (:import-from :hunchentoot-asd :*hunchentoot-version*)
   #+:lispworks
   (:import-from :lw "WITH-UNIQUE-NAMES" "WHEN-LET")
-  (:export "*APPROVED-RETURN-CODES*"
+  (:export "*ACCEPTOR*"
+           "*APPROVED-RETURN-CODES*"
            #+:lispworks
            "*CLEANUP-FUNCTION*"
            #+:lispworks
@@ -62,12 +63,12 @@
            "*REPLY*"
            "*REQUEST*"
            "*REWRITE-FOR-SESSION-URLS*"
-           "*ACCEPTOR*"
            "*SESSION*"
            "*SESSION-COOKIE-NAME*"
            "*SESSION-GC-FREQUENCY*"
            "*SESSION-MAX-TIME*"
            "*SESSION-REMOVAL-HOOK*"
+           "*SESSION-SECRET*"
            "*SHOW-LISP-ERRORS-P*"
            "*TMP-DIRECTORY*"
            "*USE-REMOTE-ADDR-FOR-SESSIONS*"
@@ -207,6 +208,7 @@
            "REQUIRE-AUTHORIZATION"
            "RESET-CONNECTION-STREAM"
            "RESET-SESSIONS"
+           "RESET-SESSION-SECRET"
            "RETURN-CODE"
            "RFC-1123-DATE"
            "SCRIPT-NAME"
Modified: trunk/thirdparty/hunchentoot/session.lisp
===================================================================
--- trunk/thirdparty/hunchentoot/session.lisp	2009-02-11 21:19:33 UTC (rev 4239)
+++ trunk/thirdparty/hunchentoot/session.lisp	2009-02-11 21:44:43 UTC (rev 4240)
@@ -276,9 +276,13 @@
                          session-identifier user-agent remote-addr)
            nil))))))
+(defun reset-session-secret ()
+  "Sets *SESSION-SECRET* to a new random value. All old sessions will
+cease to be valid."
+  (setq *session-secret* (create-random-string 10 36)))
+
 (defun reset-sessions ()
-  "Removes ALL stored sessions and creates a new session secret."
-  (reset-session-secret)
+  "Removes ALL stored sessions."
   (with-lock-held (*session-data-lock*)
     (loop for (nil . session) in *session-data*
           do (funcall *session-removal-hook* session))
Modified: trunk/thirdparty/hunchentoot/specials.lisp
===================================================================
--- trunk/thirdparty/hunchentoot/specials.lisp	2009-02-11 21:19:33 UTC (rev 4239)
+++ trunk/thirdparty/hunchentoot/specials.lisp	2009-02-11 21:44:43 UTC (rev 4240)
@@ -137,7 +137,11 @@
   "A fresh random state.")
(defvar-unbound *session-secret*
-  "A random value that's used to encode the public session data.")
+  "A random ASCII string that's used to encode the public session
+data.  This variable is initially unbound and will be set (using
+RESET-SESSION-SECRET) by the first acceptor which is started.  You can
+prevent this from happening if you set the value yourself before
+starting acceptors.")
(defvar-unbound *hunchentoot-stream*
   "The stream representing the socket Hunchentoot is listening on.")
Modified: trunk/thirdparty/hunchentoot/util.lisp
===================================================================
--- trunk/thirdparty/hunchentoot/util.lisp	2009-02-11 21:19:33 UTC (rev 4239)
+++ trunk/thirdparty/hunchentoot/util.lisp	2009-02-11 21:44:43 UTC (rev 4240)
@@ -120,11 +120,6 @@
       (format s "~VR" base
               (random base *the-random-state*)))))
-(defun reset-session-secret ()
-  "Sets *SESSION-SECRET* to a new random value. All old sessions will
-cease to be valid."
-  (setq *session-secret* (create-random-string 10 36)))
-
 (defun reason-phrase (return-code)
   "Returns a reason phrase for the HTTP return code RETURN-CODE
 (which should be an integer) or NIL for return codes Hunchentoot

    