Index: django/contrib/sessions/models.py =================================================================== --- django/contrib/sessions/models.py (revision 6814) +++ django/contrib/sessions/models.py (working copy) @@ -1,43 +1,12 @@ -import os -import sys -import time -import datetime -import base64 -import md5 -import random -import cPickle as pickle - from django.db import models from django.utils.translation import ugettext_lazy as _ -from django.conf import settings -class SessionManager(models.Manager): - def encode(self, session_dict): - "Returns the given session dictionary pickled and encoded as a string." - pickled = pickle.dumps(session_dict) - pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest() - return base64.encodestring(pickled + pickled_md5) - - def save(self, session_key, session_dict, expire_date): - s = self.model(session_key, self.encode(session_dict), expire_date) - if session_dict: - s.save() - else: - s.delete() # Clear sessions with no data. - return s - class Session(models.Model): """ - Django provides full support for anonymous sessions. The session - framework lets you store and retrieve arbitrary data on a - per-site-visitor basis. It stores data on the server side and - abstracts the sending and receiving of cookies. Cookies contain a - session ID -- not the data itself. + Saves sessions in database. - The Django sessions framework is entirely cookie-based. It does - not fall back to putting session IDs in URLs. This is an intentional - design decision. Not only does that behavior make URLs ugly, it makes - your site vulnerable to session-ID theft via the "Referer" header. + Not for direct usage, please use SessionStore class + in django.contrib.sessions.backends.db module to access sessions. For complete documentation on using Sessions in your code, consult the sessions documentation that is shipped with Django (also available @@ -46,22 +15,8 @@ session_key = models.CharField(_('session key'), max_length=40, primary_key=True) session_data = models.TextField(_('session data')) expire_date = models.DateTimeField(_('expire date')) - objects = SessionManager() class Meta: db_table = 'django_session' verbose_name = _('session') verbose_name_plural = _('sessions') - - def get_decoded(self): - encoded_data = base64.decodestring(self.session_data) - pickled, tamper_check = encoded_data[:-32], encoded_data[-32:] - if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check: - from django.core.exceptions import SuspiciousOperation - raise SuspiciousOperation, "User tampered with session cookie." - try: - return pickle.loads(pickled) - # Unpickling can cause a variety of exceptions. If something happens, - # just return an empty dictionary (an empty session). - except: - return {} Index: docs/sessions.txt =================================================================== --- docs/sessions.txt (revision 6814) +++ docs/sessions.txt (working copy) @@ -202,7 +202,7 @@ >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead') >>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10) >>> s['last_login'] - datetime.datetime(2005, 8, 20, 13, 35, 0) + datetime.datetime(2005, 8, 20, 13, 35, 10) >>> s.save() If you're using the ``django.contrib.sessions.backends.db`` backend, each @@ -215,13 +215,12 @@ >>> s.expire_date datetime.datetime(2005, 8, 20, 13, 35, 12) -Note that you'll need to call ``get_decoded()`` to get the session dictionary. +Note that you'll need to use the ``SessionStore`` class +in ``django.contrib.sessions.backends.db`` to get the session dictionary. This is necessary because the dictionary is stored in an encoded format:: >>> s.session_data 'KGRwMQpTJ19hdXRoX3VzZXJfaWQnCnAyCkkxCnMuMTExY2ZjODI2Yj...' - >>> s.get_decoded() - {'user_id': 42} When sessions are saved =======================