Add support for sessions

[define-private-public]

This would be a real shot in the arm for jester and make it a much better web framework. As far as I can tell, jester doesn't have support right now for something like sessions, such as PHP has: http://php.net/manual/en/session.examples.basic.php

Right now it looks like an interger/id field could be added in the Request object, and then sent to the user via the cookies. There would probably need to be a table or something to record sessions.

The reason why this is important to add is so jester could have support for something like CSRF tokens.

[dom96]

This should be implemented in a separate library IMO. I think @FedericoCeratto has created one already.

[jivank]

Federico's Project: https://github.com/FedericoCeratto/nim-httpauth It looks very powerful but has an external dependency on libsodium.

Here are example implementations for python web frameworks flask and hug. https://github.com/pallets/flask/blob/master/flask/sessions.py https://github.com/timothycrosley/hug/blob/master/hug/middleware.py#L27

I think it would be very handy to have this builtin for jester.

[Araq]

IMHO this should be part of jester.

[FedericoCeratto]

Session management could exist in a small dedicated library, as done in other languages. However, encryption and signature is required for cookie-based. Is the dependency on libsodium going to be a problem?

[dom96]

@Araq why?

[0x1eef]

@dom96 sessions are in scope for micro frameworks in other languages, i don't think it's unreasonable to add to jester.

[Araq]

Because every web project needs it and jester doesn't seem to give me much. I don't need fancy URL dispatching, I can do that easily enough on my own. Session management would add some real value. But note that I only know jester from its usage in nimforum.

[dom96]

Okay. In that case I'm willing to include sessions in Jester.

[siliconvoodoo]

@dom96 awesome. please do, I'm in need of this now. In the meantime I'll take a look at @FedericoCeratto 's lib (I don't mind dependencies)

[rustomax]

@dom96 sorry if I missed progress on this. Has session support been implemented in jester? If not, are there plans?

[FedericoCeratto]

Authentication requires password hashing and session can require signing. Relying on a well known cryptographic library is the safe alternative to homemade crypto.

[bitnom]

I'm now working on adding sessions to my app. So we have setCookie(). What is the best practice for facilitating a session? My first thought is to keep a hash or random string in memory or in a backend that matches what's in the cookie. "Session can require signing:" To what end? This means I sign the cookie contents with a private key and include the signature in the cookie so later I can verify it server-side?

HttpOnly Flag HttpOnly cookies are inaccessible to JavaScript's Document.cookie API; they are only sent to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and the HttpOnly flag should be set.

Here we go: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

[bitnom]

I started something here: https://github.com/TensorTom/sqlsessions.nim

Will probably have a working version in a few days. I'm using sql as a backend since holding sessions state in memory sounds tedious and probably bad.