| pr_cookie {plumber} | R Documentation |
Store session data in encrypted cookies.
Description
plumber uses the crypto R package sodium, to encrypt/decrypt
req$session information for each server request.
Usage
pr_cookie(
pr,
key,
name = "plumber",
expiration = FALSE,
http = TRUE,
secure = FALSE,
same_site = FALSE,
path = NULL
)
Arguments
pr |
A Plumber API. Note: The supplied Plumber API object will also be updated in place as well as returned by the function. |
key |
The secret key to use. This must be consistent across all R sessions
where you want to save/restore encrypted cookies. It should be produced using
|
name |
The name of the cookie in the user's browser. |
expiration |
A number representing the number of seconds into the future
before the cookie expires or a |
http |
Boolean that adds the |
secure |
Boolean that adds the |
same_site |
A character specifying the SameSite policy to attach to the cookie.
If specified, one of the following values should be given: "Strict", "Lax", or "None".
If "None" is specified, then the |
path |
The URI path that the cookie will be available in future requests.
Defaults to the request URI. Set to |
Details
The cookie's secret encryption key value must be consistent to maintain
req$session information between server restarts.
Storing secure keys
While it is very quick to get started with user session cookies using
plumber, please exercise precaution when storing secure key information.
If a malicious person were to gain access to the secret key, they would
be able to eavesdrop on all req$session information and/or tamper with
req$session information being processed.
Please:
Do NOT store keys in source control.
Do NOT store keys on disk with permissions that allow it to be accessed by everyone.
Do NOT store keys in databases which can be queried by everyone.
Instead, please:
Use a key management system, such as 'keyring' (preferred)
Store the secret in a file on disk with appropriately secure permissions, such as "user read only" (
Sys.chmod("myfile.txt", mode = "0600")), to prevent others from reading it.
Examples of both of these solutions are done in the Examples section.
See Also
-
'sodium': R bindings to 'libsodium'
-
'libsodium': A Modern and Easy-to-Use Crypto Library
-
'keyring': Access the system credential store from R
-
Set-Cookie flags: Descriptions of different flags for
Set-Cookie -
Cross-site scripting: A security exploit which allows an attacker to inject into a website malicious client-side code
Examples
## Not run:
## Set secret key using `keyring` (preferred method)
keyring::key_set_with_value("plumber_api", password = plumber::random_cookie_key())
pr() %>%
pr_cookie(
keyring::key_get("plumber_api"),
name = "counter"
) %>%
pr_get("/sessionCounter", function(req) {
count <- 0
if (!is.null(req$session$counter)){
count <- as.numeric(req$session$counter)
}
req$session$counter <- count + 1
return(paste0("This is visit #", count))
}) %>%
pr_run()
#### -------------------------------- ###
## Save key to a local file
pswd_file <- "normal_file.txt"
cat(plumber::random_cookie_key(), file = pswd_file)
# Make file read-only
Sys.chmod(pswd_file, mode = "0600")
pr() %>%
pr_cookie(
readLines(pswd_file, warn = FALSE),
name = "counter"
) %>%
pr_get("/sessionCounter", function(req) {
count <- 0
if (!is.null(req$session$counter)){
count <- as.numeric(req$session$counter)
}
req$session$counter <- count + 1
return(paste0("This is visit #", count))
}) %>%
pr_run()
## End(Not run)