Ticket #2066: session_engines.diff

django/test/client.py

@@ -4 +4 @@
-from urlparse import urlparse
-from django.conf import settings
-from django.contrib.auth import authenticate, login
-from django.contrib.sessions.models import Session
-from django.contrib.sessions.middleware import SessionWrapper
-from django.core.handlers.base import BaseHandler
-from django.core.handlers.wsgi import WSGIRequest
-from django.core.signals import got_request_exception
@@ -129 +127 @@
-    def _session(self):
-        "Obtain the current session variables"
-        if 'django.contrib.sessions' in settings.INSTALLED_APPS:
+            engine = __import__(settings.SESSION_ENGINE, {}, {}, [''])
-            cookie = self.cookies.get(settings.SESSION_COOKIE_NAME, None)
-            if cookie:
-SessionWrapper
+engine.SessionClass
-        return {}
-    session = property(_session)
-    
@@ -229 +228 @@
-        """
-        user = authenticate(**credentials)
-        if user and 'django.contrib.sessions' in settings.INSTALLED_APPS:
-obj = Session.objects.get_new_session_object(
-
+engine = __import__(settings.SESSION_ENGINE, {}, {}, ['']
+
-            # Create a fake request to store login details
-            request = HttpRequest()
-SessionWrapper(obj.session_key
+engine.SessionClass(
-            login(request, user)
-
+
-            # Set the cookie to represent the session
-obj
+request.session
-            self.cookies[settings.SESSION_COOKIE_NAME]['max-age'] = None
-            self.cookies[settings.SESSION_COOKIE_NAME]['path'] = '/'
-            self.cookies[settings.SESSION_COOKIE_NAME]['domain'] = settings.SESSION_COOKIE_DOMAIN
-            self.cookies[settings.SESSION_COOKIE_NAME]['secure'] = settings.SESSION_COOKIE_SECURE or None
-            self.cookies[settings.SESSION_COOKIE_NAME]['expires'] = None
-
-
-
-
+
+
-
-            return True
-        else:

django/conf/global_settings.py

@@ -270 +270 @@
-SESSION_COOKIE_SECURE = False             # Whether the session cookie should be secure (https:// only).
-SESSION_SAVE_EVERY_REQUEST = False        # Whether to save the session data on every request.
-SESSION_EXPIRE_AT_BROWSER_CLOSE = False   # Whether sessions expire when a user closes his browser.
+SESSION_ENGINE = 'django.contrib.sessions.engines.db' # The module to store session data
+SESSION_FILE_PATH = '/tmp/'               # Directory to store session files if using the file session module
-
-#########
-# CACHE #

django/contrib/sessions/middleware.py

@@ -1 +1 @@
-from django.conf import settings
-from django.contrib.sessions.models import Session
-from django.core.exceptions import SuspiciousOperation
-from django.utils.cache import patch_vary_headers
-import datetime
-
-TEST_COOKIE_NAME = 'testcookie'
-TEST_COOKIE_VALUE = 'worked'
-
-class SessionWrapper(object):
-    def __init__(self, session_key):
-        self.session_key = session_key
-        self.accessed = False
-        self.modified = False
-
-    def __contains__(self, key):
-        return key in self._session
-
-    def __getitem__(self, key):
-        return self._session[key]
-
-    def __setitem__(self, key, value):
-        self._session[key] = value
-        self.modified = True
-
-    def __delitem__(self, key):
-        del self._session[key]
-        self.modified = True
-
-    def keys(self):
-        return self._session.keys()
-
-    def items(self):
-        return self._session.items()
-
-    def get(self, key, default=None):
-        return self._session.get(key, default)
-
-    def pop(self, key, *args):
-        return self._session.pop(key, *args)
-
-    def set_test_cookie(self):
-        self[TEST_COOKIE_NAME] = TEST_COOKIE_VALUE
-
-    def test_cookie_worked(self):
-        return self.get(TEST_COOKIE_NAME) == TEST_COOKIE_VALUE
-
-    def delete_test_cookie(self):
-        del self[TEST_COOKIE_NAME]
-
-    def _get_session(self):
-        # Lazily loads session from storage.
-        self.accessed = True
-        try:
-            return self._session_cache
-        except AttributeError:
-            if self.session_key is None:
-                self._session_cache = {}
-            else:
-                try:
-                    s = Session.objects.get(session_key=self.session_key,
-                        expire_date__gt=datetime.datetime.now())
-                    self._session_cache = s.get_decoded()
-                except (Session.DoesNotExist, SuspiciousOperation):
-                    self._session_cache = {}
-                    # Set the session_key to None to force creation of a new
-                    # key, for extra security.
-                    self.session_key = None
-            return self._session_cache
-
-    _session = property(_get_session)
-
-class SessionMiddleware(object):
+    """
+    Django Session Middleware
+    """
-    def process_request(self, request):
-
+
+
-
-    def process_response(self, request, response):
-        # If request.session was modified, or if response.session was set, save
@@ -86 +22 @@
-            if accessed:
-                patch_vary_headers(response, ('Cookie',))
-            if modified or settings.SESSION_SAVE_EVERY_REQUEST:
-                if request.session.session_key:
-                    session_key = request.session.session_key
-                else:
-                    obj = Session.objects.get_new_session_object()
-                    session_key = obj.session_key
-
-                if settings.SESSION_EXPIRE_AT_BROWSER_CLOSE:
-                    max_age = None
-                    expires = None
-                else:
-                    max_age = settings.SESSION_COOKIE_AGE
-datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE), "%a, %d-%b-%Y %H:%M:%S GMT")
-new_session = Session.objects.save(session_key, request.session._session,
-datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE)
-
+\
+    datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE), "%a, %d-%b-%Y %H:%M:%S GMT")
+request.session.save(
+request.session.
-                    max_age=max_age, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
-                    secure=settings.SESSION_COOKIE_SECURE or None)
-        return response

django/contrib/sessions/engines/base.py

@@ +1 @@
+from django.conf import settings
+from django.utils.cache import patch_vary_headers
+import base64, md5, datetime, random, os, sys
+import cPickle as pickle
+
+TEST_COOKIE_NAME = 'testcookie'
+TEST_COOKIE_VALUE = 'worked'
+
+class SessionBase(object):
+    """
+    MetaClass for all Session classes. 
+    """
+    def __init__(self, session_key=None):
+        self._session_key = session_key
+        self.accessed = False
+        self.modified = False
+
+    def __contains__(self, key):
+        return key in self._session
+
+    def __getitem__(self, key):
+        return self._session[key]
+
+    def __setitem__(self, key, value):
+        self._session[key] = value
+        self.modified = True
+
+    def __delitem__(self, key):
+        del self._session[key]
+        self.modified = True
+
+    def keys(self):
+        return self._session.keys()
+
+    def items(self):
+        return self._session.items()
+
+    def get(self, key, default=None):
+        return self._session.get(key, default)
+
+    def pop(self, key, *args):
+        return self._session.pop(key, *args)
+
+    def set_test_cookie(self):
+        self[TEST_COOKIE_NAME] = TEST_COOKIE_VALUE
+
+    def test_cookie_worked(self):
+        return self.get(TEST_COOKIE_NAME) == TEST_COOKIE_VALUE
+
+    def delete_test_cookie(self):
+        del self[TEST_COOKIE_NAME]
+        
+    def encode(self, session_dict):
+        "Returns the given session dictionary pickled and encoded as a string."
+        pickled = pickle.dumps(session_dict)
+        pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()
+        return base64.encodestring(pickled + pickled_md5)
+
+    def decode(self, session_data):
+        encoded_data = base64.decodestring(session_data)
+        pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
+        if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
+            from django.core.exceptions import SuspiciousOperation
+            raise SuspiciousOperation, "User tampered with session cookie."
+        try:
+            return pickle.loads(pickled)
+        # Unpickling can cause a variety of exceptions. If something happens,
+        # just return an empty dictionary (an empty session).
+        except:
+            return {}
+        
+    def _get_new_session_key(self):
+        "Returns session key that isn't being used."
+        # The random module is seeded when this Apache child is created.
+        # Use person_id and SECRET_KEY as added salt.
+        while 1:
+            session_key = md5.new("%s%s%s%s" % (random.randint(0, sys.maxint - 1), 
+                                  os.getpid(), time.time(), settings.SECRET_KEY)).hexdigest()
+            if not self.exists(session_key):
+                break
+        return session_key
+        
+    def _get_session_key(self):
+        if self._session_key:
+            return self._session_key
+        else:
+            self._session_key = self._get_new_session_key()
+            return self._session_key
+    
+    def _set_session_key(self, session_key):
+        self._session_key = session_key
+    
+    session_key = property(_get_session_key, _set_session_key)
+
+    def _get_session(self):
+        # Lazily loads session from storage.
+        self.accessed = True
+        try:
+            return self._session_cache
+        except AttributeError:
+            if self.session_key is None:
+                self._session_cache = {}
+            else:
+                self._session_cache = self.load()
+        return self._session_cache
+
+    _session = property(_get_session)
+    
+    def exists(self, session_key):
+        """
+        returns True if the the session_key already exists in the 
+        session store
+        """
+        raise NotImplementedError
+
+    def save(self):
+        """
+        saves self._session associated self.session_key in the 
+        session store
+        """
+        raise NotImplementedError
+
+    def delete(self, session_key):
+        """
+        deletes the session data associated with session_key
+        """
+        raise NotImplementedError
+
+    def load(self):
+        """
+        returns a dictionary with the session data from the session 
+        store associated with self.session_key
+        """
+        raise NotImplementedError
+        

django/contrib/sessions/engines/file.py

@@ +1 @@
+import base64, md5, random, sys, datetime, os
+import cPickle as pickle
+from django.conf import settings
+from django.contrib.sessions.models import Session
+from django.contrib.sessions.engines.base import SessionBase
+from django.core.exceptions import SuspiciousOperation
+from django.utils.cache import patch_vary_headers
+import datetime
+
+class SessionStore(SessionBase):
+    """
+    Implements a file based session store.
+    """
+    def __init__(self, session_key=None):
+        self.storage_path = settings.SESSION_FILE_PATH
+        self.file_prefix = settings.SESSION_COOKIE_NAME    
+        super(SessionStore, self).__init__(session_key)
+    
+    def _key_to_file(self, session_key=None):
+        if session_key is None:
+            session_key = self.session_key
+        return os.path.join(self.storage_path, self.file_prefix + session_key)
+            
+    def load(self):
+        session_data = {}
+        try:
+            session_file = open(self._key_to_file(), "rb")
+            try:
+                session_data = self.decode(session_file.read())
+            except(EOFError, SuspiciousOperation):
+                self._session_key = self._get_new_session_key()
+                self._session_cache = {}
+                #save to minimize collision
+                self.save()
+            finally:
+                session_file.close()
+        except(IOError):
+            pass
+        return session_data
+
+    def save(self):
+        try:
+            f = open(self._key_to_file(self.session_key), "wb")
+            try:
+                f.write(self.encode(self._session))
+            finally:
+                f.close()
+        except(IOError, EOFError):
+            pass
+
+    def exists(self, session_key):
+        if os.path.exists(self._key_to_file(session_key)):
+            return True
+        return False
+        
+    def delete(self, session_key):
+        try:
+            os.unlink(self._key_to_file(session_key))
+        except OSError:
+            pass
+            
+    def clean(self):
+        pass

django/contrib/sessions/engines/cache.py

@@ +1 @@
+import base64, md5, random, sys, datetime, os
+from django.conf import settings
+from django.contrib.sessions.engines.base import SessionBase
+from django.core.exceptions import SuspiciousOperation
+from django.utils.cache import patch_vary_headers
+from django.core.cache import cache
+
+class SessionStore(SessionBase):
+    """
+    Implements a cache based session store. 
+    """
+    def __init__(self, session_key=None):
+        self._cache = cache
+        super(SessionStore, self).__init__(session_key)
+        
+    def load(self):
+        session_data = self._cache.get(self.session_key)
+        return session_data
+
+    def save(self):
+        self._cache.set(self.session_key, self._session, settings.SESSION_COOKIE_AGE)
+
+    def exists(self, session_key):
+        if self._cache.get(session_key):
+                return True
+        return False
+        
+    def delete(self, session_key):
+        self._cache.delete(session_key)

django/contrib/sessions/engines/db.py

@@ +1 @@
+from django.conf import settings
+from django.contrib.sessions.models import Session
+from django.contrib.sessions.engines.base import SessionBase
+from django.core.exceptions import SuspiciousOperation
+import datetime
+
+class SessionStore(SessionBase):
+    """
+    Implements database session store
+    """
+    def __init__(self, session_key=None):
+        super(SessionStore, self).__init__(session_key)
+    
+    def load(self):
+        try:
+            s = Session.objects.get(session_key=self.session_key, 
+                    expire_date__gt=datetime.datetime.now())
+            return self.decode(s.session_data)
+        except (Session.DoesNotExist, SuspiciousOperation):
+            # Create a new session_key for extra security.
+            self.session_key = self._get_new_session_key()
+            self._session_cache = {}
+            #save to minimize collision
+            self.save()
+            return {}
+            
+    def exists(self, session_key):
+        try:
+            Session.objects.get(session_key=session_key)
+        except Session.DoesNotExist:
+            return False
+        return True
+            
+    def save(self):
+        s = Session(self.session_key, self.encode(self._session), datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE))
+        s.save()
+    
+    def delete(self, session_key):
+        try:
+            s = Session.objects.get(session_key=session_key)
+            s.delete()
+        except Session.DoesNotExist:
+            pass

django/contrib/sessions/tests.py

@@ -1 +1 @@
-r"""
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-'does not exist'
+>>> cache_session.save()
+>>> cache_session.exists(cache_session.session_key)
+True
+>>> cache_session.delete(cache_session.session_key)
+>>> cache_session.exists(cache_session.session_key)
+False
-"""
-
-
+
+
+
+
-
-if __name__ == '__main__':
-    import doctest

django/contrib/sessions/models.py

@@ -1 @@
-
+, os, time
-import cPickle as pickle
-from django.db import models
-from django.utils.translation import gettext_lazy as _
@@ -14 +14 @@
-    def get_new_session_key(self):
-        "Returns session key that isn't being used."
-        # The random module is seeded when this Apache child is created.
-person_id and 
+
-        while 1:
-
+
+
-            try:
-                self.get(session_key=session_key)
-            except self.model.DoesNotExist:

docs/sessions.txt

@@ -10 +10 @@
-Enabling sessions
-=================
-
- and a Django model
+
-
-se two things
+ following
-
-    * Edit the ``MIDDLEWARE_CLASSES`` setting and make sure
-      ``MIDDLEWARE_CLASSES`` contains ``'django.contrib.sessions.middleware.SessionMiddleware'``.
-      The default ``settings.py`` created by ``django-admin.py startproject`` has
-      ``SessionMiddleware`` activated.
-
-
-
-
+
+
+
+
+
+
+
+
+
-
-If you don't want to use sessions, you might as well remove the
-``SessionMiddleware`` line from ``MIDDLEWARE_CLASSES`` and ``'django.contrib.sessions'``
-from your ``INSTALLED_APPS``. It'll save you a small bit of overhead.
-
-.. _middleware: ../middleware/
+.. _cache: ../cache/
-
-Using sessions in views
-=======================
@@ -65 +72 @@
-      cookies. Due to the way cookies work, you won't be able to test this
-      until the user's next page request. See "Setting test cookies" below for
-      more information.
-
+
-    * ``test_cookie_worked()``
-      Returns either ``True`` or ``False``, depending on whether the user's
-      browser accepted the test cookie. Due to the way cookies work, you'll
@@ -153 +160 @@
-Using sessions out of views
-===========================
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-is defined in ``django/contrib/sessions/models.py``. Because it's a normal
-model, you can access sessions using the normal Django database API::
-
-    >>> from django.contrib.sessions.models import Session
-    >>> s = Session.objects.get(pk='2b1189a188b44ad18c35e113ac6ceead')
-    >>> s.expire_date
-
+  
-
-Note that you'll need to call ``get_decoded()`` to get the session dictionary.
-This is necessary because the dictionary is stored in an encoded format::
@@ -239 +257 @@
-
-A few `Django settings`_ give you control over session behavior:
-
+**New in Django development version**
+
+SESSION_ENGINE
+--------------
+
+Default: ``django.contrib.sessions.engines.db``
+
+Django sessions have configurable backends for the method of storage. The 
+setting ``SESSION_ENGINE`` in ``settings.py`` refers to the module which implements 
+the session backend. 
+Django comes with three session engines:
+
+    * ``'django.contrib.sessions.engines.db'`` is the default session storage method.
+      All data is encoded and stored in the database.
+      
+    * ``'django.contrib.sessions.engines.file'`` a simple file based session storage 
+      method. Each session is encoded and stored in individual files on the server.
+      
+    * ``'django.contrib.sessions.engines.cache'`` based on the Django cache_ framework.
+      Sessions are stored in the configured cache backend.
+    
+.. _cache: ../cache/
+
+SESSION_FILE_PATH
+-----------------
+
+Default: ``/tmp/``
+
+If the module associated with ``SESSION_ENGINE`` is ``'django.contrib.sessions.file'`` 
+this is the directory which session files are stored in.
+
-SESSION_COOKIE_AGE
-------------------
-