This module provides a simple session implementation which stores session data on the client as a cookie value.

The cookie values are stored in an encrypted cookie to make it more difficult for users to tamper with the values. However, this does not prevent replay attacks, and should not be seen as a substitute for using HTTPS. Additionally, the cryptography libraries used to encrypt the cookie have never been audited. Hence you are encouraged to think carefully about what data you put in the session data.

Another important thing to realize is client-side sessions do not provide Isolation. Imagine if the browser makes multiple simultaneous requests, which each modify the session data. The browser will submit the same cookie for each the requests, and each request handling thread will get their own copy of the session data. The threads will then modify their local copies independently and send their modified values back to the browser, overwriting each other. The final value will be determined by which ever request is sent last, and any changes made by the other request will be entirely lost.

This means that clientsessions would not be suitable for implementing a request counter, because if overlapping requests are made, the count will be off. The count will only be accurate if the requests are processed sequentially. That said, the demo code implements a request counter anyway, because it is short and sweet. Also, this caveat was forgotten when the example code was being written.

If you only modify the session data for POST requests, but not GET requests you are less likely to run into situations where you are losing changes, because there are not a lot of cases where a client will be submitting multiple POST requests in parallel. Though there is no guarantee.

Alternatively, you can choose to only store data where it is OK if modifications are lost. For example, if the session data contains only a userid and the time of the last request they made, then there is no great loss if some of the modifications are lost, because the access times are going to all be about the same anyway.

By default the client will need to submit the cookie that contains the client session data for every request (including images, and other static assets). So, storing a large amount of data in the client session will make requests slower and is not recommended. If you have assets which can be served with out examining the client session data you can use the sessionPath and sessionDomain parameters of SessionConf to limit when the browser sends the session data cookie.

The first thing you need to do is enable some extensions which can be done via a LANGUAGE pragma at the top of your app:

{-# LANGUAGE DeriveDataTypeable, TemplateHaskell #-}

Then you will need some imports:

module Main where

import Happstack.Server   (ServerPartT, Response, simpleHTTP
                         , nullConf, nullDir, ok, toResponse
                         )
import Happstack.Server.ClientSession
                          ( ClientSession(..), ClientSessionT(..)
                         , getDefaultKey, mkSessionConf
                         , liftSessionStateT, withClientSessionT
                         )
import Data.Data          (Data, Typeable)
import Data.Lens          ((+=))
import Data.Lens.Template (makeLens)
import Data.SafeCopy      (base, deriveSafeCopy)

Next you will want to create a type to hold your session data. Here we use a simple record which we will update using data-lens-fd. But, you could also store a, Map Text Text, or whatever suits your fancy as long as it can be serialized. (So no data types that include functions, existential types, etc).

data SessionData = SessionData
    { _count    :: Integer
    }
   deriving (Eq, Ord, Read, Show, Data, Typeable)

-- | here we make it a lens, but that is not required
$(makeLens ''SessionData)

We use the safecopy library to serialize the data so we can encrypt it and store it in a cookie. safecopy provides version migration, which means that we will be able to read-in old session data if we change the data type. The easiest way to create a SafeCopy instance is with deriveSafeCopy:

$(deriveSafeCopy 0 'base ''SessionData)

We also need to define what an emptySession looks like. This will be used for creating new sessions when the client does not already have one:

instance ClientSession SessionData where
    emptySession = SessionData { _count = 0 }

Next we have a function which reads a client-specific page counter and returns the number of times the page has been reloaded.

In this function we use, liftSessionStateT to lift the += lens function into ClientSessionT to increment and return the value stored in the client session.

Alternatively, we could have used the getSession and putSession functions from MonadClientSession. Those functions do not require the use of liftSessionStateT.

routes :: ClientSessionT SessionData (ServerPartT IO) Response
routes =
    do nullDir
       c <- liftSessionStateT $ count += 1
       ok $ toResponse $ "you have viewed this page " ++ (show c) ++ " time(s)."

Finally, we unwrap the ClientSessionT monad transformer using withClientSessionT.

The SessionConf type requires an encryption key. You can generate the key using getDefaultKey uses a default filename. Alternatively, you can specific the name you want to use explicitly using getKey. The key will be created automatically if it does not already exist.

If you change the key, all existing client sessions will be invalidated.

main :: IO ()
main =
    do key <- getDefaultKey
       let sessionConf = mkSessionConf key
       simpleHTTP nullConf $ withClientSessionT sessionConf $ routes

In a real application you might want to use a newtype wrapper around ClientSessionT to keep your type signatures sane. An alternative version of this demo which does that can be found here:

http://patch-tag.com/r/mae/happstack/snapshot/current/content/pretty/happstack-clientsession/demo/demo.hs