haskell/serversession
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
66d858170e
serversession/examples/serversession-example-yesod-persistent/templates/homepage.hamlet
Felipe Lessa 66d858170e Add serversession code to Yesod+Persistent example. 
Example doesn't showcase yesod-auth integration, though.
2015-06-01 14:36:15 -03:00

70 lines
2.1 KiB
Plaintext
Raw Blame History

<h1>
Server-side session example
<p>
This example site demonstrates using #
<a href="https://github.com/yesodweb/serversession"><code>serversession</code></a> #
with Yesod and Persistent.
<section>
<h2>
Current session properties
<dl>
<dt>Session ID
<dd>#{maybe "-- no session --" id msid}
<dt>Session variables
<dd>
$if null vars
-- no session variables --
$else
<table .table .session-vars>
<thead>
<tr>
<td>Key
<td>Value
<tbody>
$forall (key, val) <- vars
<tr>
<td>#{show key}
<td>#{show val}
<td>
<form method=POST action=@{SessionDeleteR key}>
<button .btn .btn-danger type=submit>
Delete #
<i .glyphicon .glyphicon-trash>
<section>
<h2>
Adding or modifying session variables
<form .form-horizontal method=POST action=@{SessionAddR} enctype=#{sessionAddFormEnctype}>
^{sessionAddFormWidget}
<section>
<h2>
Forcing invalidation of the session
<p>
The <code>serversession</code> package supports session #
invalidation destroying the current session ID and creating a #
new one. This is used to avoid session fixation attacks, where #
an attacker convinces a victim to use the same session ID as #
his and asks the victim to log in. If the session is not #
invalidated upon login, the attacker will now be in possession #
of a session ID that is logged in as the victim. If the #
session is invalidated, the victim receives a new session ID #
that the attacker doesn't have any knowledge of. Session #
invalidation is also useful to logout the user from all of its #
sessions after changing their password, for example.
<p>
Use the form below to force a session invalidation to occur. #
Note that the contents of this session are not lost!
<form .form-horizontal method=POST action=@{ForceR} enctype=#{forceFormEnctype}>
^{forceFormWidget}
Reference in New Issue View Git Blame Copy Permalink