http-session (historical revision 27938)

You are looking at historical revision 27938 of this page. It may differ significantly from its current revision.

http-session

Introduction

http-session is an implementation of facilities for managing HTTP sessions of web applications.

API

Parameters

session-lifetime

[parameter] (session-lifetime [number])

The lifetime of sessions in seconds. Default is 3600s (1h).

session-id-generator

[parameter] (session-id-generator [procedure])

A zero argument procedure which generates a random unique identifier for sessions. Defaults to a procedure which concatenates current-milliseconds with the process ID and a random number between 0 and 1000 plus the current-process-id and returns its SHA-1 digest.

match-ip-address?

[parameter] (match-ip-address? [boolean])

Indicates whether http-session should match IP addresses to check if sessions are valid.

Procedures

session-create

[procedure] (session-create #!optional (bindings '()))

Creates a session and returns the session identifier.

The optional bindings argument is an alist '((symbol . value)...) of variable bindings valid for the generated session.

session-refresh!

[procedure] (session-refresh! sid)

Refreshes the session identified by sid, that is, sets the lifetime of the session identified by sid to (session-lifetime).

session-valid?

[procedure] (session-valid? sid)

Returns #t if the session identified by sid is valid. Returns #f otherwise.

A session is valid if (all items should be satisfied):

There is a session identifier equal to sid in the session table
The session lifetime corresponding to the session identified by sid is greater than zero
When match-ip-address? is not #f, the IP number corresponding to the session identified by sid matches the IP number of the client

 (use awful http-session)
 
 (define (session-item->list session-item)
   (list (session-item-expiration session-item)
         (session-item-ip session-item)
         (session-item-bindings session-item)
         (session-item-finalizer session-item)))
 
 (define (list->session-item l)
   (apply make-session-item l))
 
 (session-storage-initialize
  (lambda ()
    (let ((dir (create-temporary-directory)))
      (print "Using " dir " as sessions-dir.")
      dir)))
 
 (session-storage-set!
  (lambda (sid session-item)
    (with-output-to-file (make-pathname (session-storage) sid)
      (lambda ()
        (pp (session-item->list session-item))))))
 
 (session-storage-ref
  (lambda (sid)
    (let ((data (with-input-from-file
                    (make-pathname (session-storage) sid)
                  read)))
      (list->session-item data))))
 
 (session-storage-delete!
  (lambda (sid)
    (delete-file* (make-pathname (session-storage) sid))))
 
 
 ;; awful pages
 (define-session-page (main-page-path)
   (lambda ()
     (with-request-variables (foo)
       ($session-set! 'foo foo)
       (string-append "foo set to " (->string foo)))))
 
 (define-session-page "/foo"
   (lambda ()
     (->string ($session 'foo))))

Usage example

Web server

(use spiffy web-scheme-handler http-session html-tags html-utils spiffy-request-vars)
(file-extension-handlers `(("ws" . ,web-scheme-handler)))
(start-server)

index.ws

(define (page:next sid)
  (html-page
   (string-append
    (<h1> (let ((n (add1 (session-ref sid 'n 0))))
            (session-set! sid 'n n)
            (number->string n)))
    (<a> href: (string-append "?sid=" sid) "Next"))))

(let ((sid ((request-vars) 'sid)))
  (if sid
      (if (session-valid? sid)
          (begin (session-refresh! sid)
                 (page:next sid))
          (html-page "Invalid session."))
      (let ((sid (session-create)))
        (page:next sid))))

Backend storage API
Removed session-table, make-session-table, session-delete-binding! and session-delete! (deprecated a long time ago)

Version 2.6

Raise specific invalid-session error instead of a general error when attempting to access sessions using invalid sid (as suggested by Moritz Heidkamp)
Compile with -O3 instead of -O2

Version 2.5

Replaced sha1 by simple-sha1 as dependency.

Version 2.4

Bug fix for session-id-generator for long duration processes. The current-milliseconds value overflows the exact numbers limit for long lived process, so inexact->exact failed. Updating to this version is highly recommended.

Version 2.3

Dropped requirement for regex

Version 2.2

Handle the inexactness of current-milliseconds on chickens >= 4.6.0

Version 2.1

Added the session-set-finalizer! procedure (by Moritz Heidkamp)

Version 2.0

Some major changes
make-session-table is now exported (it was make-table internally).
current-url and current-ip are gone
session-create doesn't use the url-pattern argument anymore (the session-table can be parameterized for separating web applications)
added match-ip-address? parameter. By default, http-session ignores the IP address of the client when checking whether the session is valid. If match-ip-address? is #t, it will take the IP address into account.
Deprecated procedures: session-delete-binding! and session-delete!
New procedures: session-del! (to substitute session-delete-binding!) and session-destroy! (to substitute session-delete!)

Version 1.2.3

Added parameters to export list again

Version 1.2.2

Ported to Chicken 4

Version 1.2

Added http-session:bindings, bug fix for http-session:set!.

Version 1.1

Bug fix

Version 1.0

Initial release

http-session

Introduction

Author

Requirements

API

Parameters

session-lifetime

session-id-generator

match-ip-address?

Procedures

session-create

session-refresh!

session-valid?

session-destroy!

session-ref

session-set!

session-del!

session-bindings

session-set-finalizer!

Configurable storage backend API

session-storage-initialize

session-storage-set!

session-storage-ref

session-storage-delete!

File-based backend storage example