SecureSessions
WARNING
The security of this implementation has not been reviewed by a security professional. Use at your own risk.
Functionality
- Encrypted, tamper-proof cookies; used primarily for stateless secure sessions.
- Password hashing; used for login.
Security Protocols
For the current status of the security protocols used see this doc.
Usage
The API is detailed below.
Basic examples are in test/runtests.jl.
This repo contains example web applications:
- Example 5 demonstrates secure cookies.
- Example 6 uses password hashing for login as well as secure cookies.
See docs/outline for a description of these examples.
API
Pkg.add("SecureSessions")
using SecureSessions
##########################
### Secure cookies
##########################
username_is_permissible(username) # Returns true if username adheres to a set of rules defined in the package.
# Create a secure cookie called "sessionid" and include it in the response.
# data is user-supplied, encrypted and included as part of the cookie value.
# For example, data may be a username.
create_secure_session_cookie(data, res::Response, "sessionid")
# Extract and decrypt data from the "sessionid" cookie in the request.
# This is the same user-supplied data included during the cookie's construction.
get_session_cookie_data(req::Request, "sessionid")
##########################
### Password storage
##########################
password_is_permissible(password) # Returns true if password adheres to a set of rules defined in the package
# Store password...add salt, then hash, then store in type StoredPassword.
immutable StoredPassword
salt::Array{UInt8, 1}
hashed_password::Array{UInt8, 1}
end
# The constructor argument is an AbstractString
# A salt is randomly generated using a cryptographically secure RNG
sp = StoredPassword(password)
password_is_valid(password::AbstractString, sp::StoredPassword) # Returns true if hash(sp.salt, password) == sp.hashed_password