@@ -344,7 +344,7 @@ This module provides functions for creating and verifying
344344authenticated cookies that are intrinsically timestamped. It is based
345345on the algorithm proposed by the
346346@link["https://pdos.csail.mit.edu/archive/cookies/ " ]{MIT Cookie Eaters}: if you store
347- the data @racket[_data] at thime @racket[_authored-seconds], then the
347+ the data @racket[_data] at time @racket[_authored-seconds], then the
348348user will receive @litchar{digest&authored-seconds&data}, where
349349@racket[_digest] is an HMAC-SHA1 digest of @racket[_authored-seconds]
350350and @racket[_data], using an arbitrary secret key. When you receive a
@@ -402,32 +402,51 @@ available (@racket[make-secret-salt/file]),
402402 @defproc*[([(request-id-cookie [request request?]
403403 [#:name name (and/c string? cookie-name?)]
404404 [#:key secret-salt bytes?]
405- [#:timeout timeout number? +inf.0 ])
405+ [#:timeout timeout real? +inf.0 ]
406+ [#:shelf-life shelf-life real? +inf.0 ])
406407 (or/c #f (and/c string? cookie-value?))]
407408 [(request-id-cookie [name (and/c string? cookie-name?)]
408409 [secret-salt bytes?]
409410 [request request?]
410- [#:timeout timeout number? +inf.0 ])
411+ [#:timeout timeout number? +inf.0 ]
412+ [#:shelf-life shelf-life real? +inf.0 ])
411413 (or/c #f (and/c string? cookie-value?))])]{
412414 Extracts the first authenticated cookie named @racket[name]
413415 that was previously signed with @racket[secret-salt]
414- before @racket[timeout] from @racket[request].
416+ from @racket[request], with the allowable age of the cookie
417+ is controlled by @racket[shelf-life] and @racket[timeout] as with
418+ @racket[valid-id-cookie?].
419+
415420 If no valid cookie is available, returns @racket[#f ].
416421 }
417422
418423@defproc[(valid-id-cookie? [cookie any/c]
419424 [#:name name (and/c string? cookie-name?)]
420425 [#:key secret-salt bytes?]
421- [#:timeout timeout number? +inf.0 ])
426+ [#:timeout timeout number? +inf.0 ]
427+ [#:shelf-life shelf-life real? +inf.0 ])
422428 (or/c #f (and/c string? cookie-value?))]{
423429 Recognizes authenticated cookies named @racket[name] that were
424- previously signed with @racket[secret-salt]
425- before @racket[timeout]. Values satisfying either @racket[cookie?]
430+ previously signed with @racket[secret-salt].
431+ Values satisfying either @racket[cookie?]
426432 or @racket[client-cookie?] can be recognized.
427433
434+ The @racket[shelf-life] specifies the maximum age of the cookie
435+ in seconds. Cookies created more than @racket[shelf-life] seconds
436+ ago will not be considered valid.
437+ The default value, @racket[+inf.0 ], permits all properly named and
438+ signed cookies.
439+
440+ Counterintuitively,
441+ the @racket[timeout] argument requires that the cookie have been
442+ created @italic{before} a certain moment in time: in other words,
443+ it requires that the cookie be @italic{older} than a certain age.
444+ This is not usually what you want to restrict.
428445 Specifically, @racket[valid-id-cookie?] tests that
429446 @racket[(authored . <= . timeout)], where @racket[authored] is the
430447 value returned by @racket[(current-seconds)] when the cookie was created.
448+ The default value, @racket[+inf.0 ], permits all properly named and
449+ signed cookies.
431450 }
432451
433452 @defproc[(logout-id-cookie [name cookie-name?]
0 commit comments