openresty / lua-nginx-module

Embed the Power of Lua into NGINX HTTP servers
https://openresty.org/
11.33k stars 2.03k forks source link

Stateful Session Support #302

Closed bungle closed 11 years ago

bungle commented 11 years ago

Hi,

I'm a little bit concerned using https://github.com/agentzh/encrypted-session-nginx-module. As I understand, that module is creating stateless (unsigned?) session cookies (the data is stored on a client). In alternative to that, it would be nice to have old-skool stateful session cookies in OpenResty as well, is this considered?

API:

ngx.session.start() ngx.session.set(key, value) ngx.session.get(key) ngx.session.destroy() ngx.session.regenerate()

Backend store could be Redis/memcached for the first implementation (expires supported) (cron-job + files maybe later).

The implementation should use:

Some pointers:

I think that this should be part of a modern web development stack. I know that this has been questioned before: https://github.com/chaoslawful/lua-nginx-module/issues/13 (in addition to that encrypted-session-nginx-module), but should this at least be reconsidered?

I would also like to see Password API:

ngx.password.hash(password, algorithm [, options]) ngx.password.check(password, hash) ngx.password.conflicts(hash, algorithm [, options])

Password hashing algorithms that could be used are scrypt, pbkdf2, and bcrypt. Even one of them is more than enought for the start.

Some pointers:

These could be implemented on client-lua libs, but I think that these use-cases are so common, yet so many times implemented wrongly that they could be part of lua_nginx_module.

I could look at some of these, but my C is very rusty, and I hesitate adding external dependies to lua-nginx-module.

What do you think? Is there room for disqussion, or should I (, and maybe others) go on and look to this problem from Lua library perspective?

agentzh commented 11 years ago

@bungle Thank you for looking into this part. I have several comments:

  1. When using the ngx_encrypted_session, you only put the user ID into the session, rather than password or other confidential information.
  2. High-level server-stored sessions are better implemented as separate Lua libraries. The goal is to keep the ngx_lua core minimal and this kind of things are not necessary to be part of the ngx_lua core. You'll have external dependencies on lua-resty-redis or lua-resty-memcached anyway.
  3. This should not be written in C in the first place. It should be written in Lua, considering that I'm also rewriting the ngx_lua core with Lua in the lua-resty-core library: https://github.com/agentzh/lua-resty-core
bungle commented 11 years ago

@agentzh thank you for the answer. You may close this. I will start to look at implementing my own lua-resty-session, and lua-resty-password libraries (if I get them to work, I will put them on github). lua-resty-core looks nice. I have to agree that using Lua as much as possible, this project will proceed faster.

agentzh commented 11 years ago

@bungle That'll be great! I really appreciate your efforts :) Also, using Lua can also be much faster than using the classic Lua C API when the Lua code is JIT compiled by LuaJIT ;)

eoranged commented 11 years ago

@agentzh sorry for off-topic question, but I've checked out lua-resty-core and realized that It uses FFI calls for nginx internal functions, not for external libraries.

Is It a (still undocumented?) feature of LuaJIT 2.1 or I read docs poorly?

agentzh commented 11 years ago

@eoranged LuaJIT FFI just looks for "external symbols" (or exported symbols), no matter the symbol is in an external DSO or not.

eoranged commented 11 years ago

@agentzh Oh, thanks a lot!

You just saved me from writing tons of useless wrappers.

agentzh commented 11 years ago

@eoranged I'm glad I did :)

bungle commented 11 years ago

@agentzh I'm glad too. That ffi-stuff really blows my mind. So beautiful, and elegant.