|(require koyo/continuation)||package: koyo-lib|
Continuations in a web context are super valuable when it comes to quickly prototyping certain functionality. However, because it stores continuation ids within URLs, the web server is succeptible to session hijacking. This is by design. For some use cases it makes sense to allow users to share their URLs and have someone else be able to pick up from where they left off. In most web applications, though, that’s not what you want.
Let me illustrate the issue with an example. Say you have an e-commerce website and you implement your "add to cart" buttons using continuations. If you don’t protect your continuations, then a user could copy the URL for that button and give it to someone else; that other person would then inherit all of the state associated with that continuation. You might think that your users are unlikely to do that, but there are other cases in which browsers can leak information about URLs in a web application. One such case being Referrer headers.
To guard against the aforementioned issues, this module provides variants of the web server’s continuation-related functions that protect themselves against being hijacked. They do this by associating a random session cookie with each continuation that is captured. When a continuation is called and the visitor’s session does not contain said cookie, then a "403 Forbidden" response is returned.
(current-continuation-key-cookie-path path) → void? path : path-string?
(current-continuation-key-cookie-secure? secure?) → void? secure? : boolean?
Since current-continuation-key-cookie-secure? is #t by default, you’re expected to run your server behind TLS even in development mode, otherwise your cookies won’t get set and you’ll encounter 403 Forbidden responses every time you try to call a continuation.
Without this, all protected continuations will fail out so don’t forget to add it to your middleware stack.