SecureSessions.jl

Secure sessions for web apps written in Julia
Popularity
5 Stars
Updated Last
12 Months Ago
Started In
November 2015

SecureSessions

Build Status SecureSessions Coverage Status

WARNING

The security of this implementation has not been reviewed by a security professional. Use at your own risk.

Functionality

  • Encrypted, tamper-proof cookies; used primarily for stateless secure sessions.
  • Password hashing; used for login.

Security Protocols

For the current status of the security protocols used see this doc.

Usage

The API is detailed below.

Basic examples are in test/runtests.jl.

This repo contains example web applications:

  • Example 5 demonstrates secure cookies.
  • Example 6 uses password hashing for login as well as secure cookies.

See docs/outline for a description of these examples.

API

Pkg.add("SecureSessions")
using SecureSessions

##########################
### Secure cookies
##########################
username_is_permissible(username)    # Returns true if username adheres to a set of rules defined in the package.

# Create a secure cookie called "sessionid" and include it in the response.
# data is user-supplied, encrypted and included as part of the cookie value.
# For example, data may be a username.
create_secure_session_cookie(data, res::Response, "sessionid")

# Extract and decrypt data from the "sessionid" cookie in the request.
# This is the same user-supplied data included during the cookie's construction.
get_session_cookie_data(req::Request, "sessionid")

##########################
### Password storage
##########################
password_is_permissible(password)     # Returns true if password adheres to a set of rules defined in the package

# Store password...add salt, then hash, then store in type StoredPassword.
immutable StoredPassword
    salt::Array{UInt8, 1}
    hashed_password::Array{UInt8, 1}
end

# The constructor argument is an AbstractString
# A salt is randomly generated using a cryptographically secure RNG
sp = StoredPassword(password)
password_is_valid(password::AbstractString, sp::StoredPassword)    # Returns true if hash(sp.salt, password) == sp.hashed_password