Ticket #7515: clear_and_destroy.diff

django/contrib/sessions/middleware.py

@@ -21 +21 @@
-        try:
-            accessed = request.session.accessed
-            modified = request.session.modified
+            destroyed = request.session.destroyed
-        except AttributeError:
+            # request doesn't have 'session' attribute
+            # FIXME: is it such a good idea to hide this exception?
+            # if process_request() fails to set request.session we should
+            # raise here as well instead of silently failing,
+            # perhaps a SessionNotSetError?
-            pass
-        else:
-            if accessed:
-                patch_vary_headers(response, ('Cookie',))
-
+destroyed or 
-                if request.session.get_expire_at_browser_close():
-                    max_age = None
-                    expires = None
@@ -35 +41 @@
-                    expires_time = time.time() + max_age
-                    expires = cookie_date(expires_time)
-                # Save the session data and refresh the client cookie.
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-                response.set_cookie(settings.SESSION_COOKIE_NAME,
-                        request.session.session_key, max_age=max_age,
-                        expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,

django/contrib/sessions/tests.py

@@ -22 +22 @@
->>> db_session.delete(db_session.session_key)
->>> db_session.exists(db_session.session_key)
-False
+>>> db_session['foo'] = 'bar'
+>>> db_session.save()
+>>> db_session.exists(db_session.session_key)
+True
+>>> prev_key = db_session.session_key
+>>> db_session.save()
+>>> db_session.destroy()
+>>> db_session.exists(db_session.session_key)
+False
+>>> db_session.exists(prev_key)
+False
+>>> db_session.session_key == prev_key
+False
+>>> len(db_session.session_key)
+32
+>>> db_session.modified, db_session.accessed
+(False, True)
+>>> db_session['foo'] = 'bar'
+>>> db_session.modified, db_session.accessed
+(True, True)
+>>> db_session.save()
+>>> db_session.exists(db_session.session_key)
+True
-
->>> file_session = FileSession()
->>> file_session.modified
@@ -39 +62 @@
->>> file_session.delete(file_session.session_key)
->>> file_session.exists(file_session.session_key)
-False
+>>> file_session['foo'] = 'bar'
+>>> file_session.save()
+>>> file_session.exists(file_session.session_key)
+True
+>>> prev_key = file_session.session_key
+>>> file_session.save()
+>>> file_session.destroy()
+>>> file_session.exists(file_session.session_key)
+False
+>>> file_session.exists(prev_key)
+False
+>>> file_session.session_key == prev_key
+False
+>>> len(file_session.session_key)
+32
+>>> file_session.modified, file_session.accessed
+(False, True)
+>>> file_session['foo'] = 'bar'
+>>> file_session.modified, file_session.accessed
+(True, True)
+>>> file_session.save()
+>>> file_session.exists(file_session.session_key)
+True
-
-# Make sure the file backend checks for a good storage dir
->>> settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
@@ -61 +107 @@
->>> cache_session.delete(cache_session.session_key)
->>> cache_session.exists(cache_session.session_key)
-False
+>>> cache_session['foo'] = 'bar'
+>>> cache_session.save()
+>>> cache_session.exists(cache_session.session_key)
+True
+>>> prev_key = cache_session.session_key
+>>> cache_session.save()
+>>> cache_session.destroy()
+>>> cache_session.exists(cache_session.session_key)
+False
+>>> cache_session.exists(prev_key)
+False
+>>> cache_session.session_key == prev_key
+False
+>>> len(cache_session.session_key)
+32
+>>> cache_session.modified, cache_session.accessed
+(False, True)
+>>> cache_session['foo'] = 'bar'
+>>> cache_session.modified, cache_session.accessed
+(True, True)
+>>> cache_session.save()
+>>> cache_session.exists(cache_session.session_key)
+True
-
->>> s = SessionBase()
->>> s._session['some key'] = 'exists' # Pre-populate the session with some data
@@ -147 +216 @@
->>> list(i)
-[('x', 1)]
-
-
+
+
+
+
+
+
+
+
+
-
+
-#########################
-# Custom session expiry #
-#########################

django/contrib/sessions/backends/base.py

@@ -25 +25 @@
-        self._session_key = session_key
-        self.accessed = False
-        self.modified = False
+        self.destroyed = False
-
-    def __contains__(self, key):
-        return key in self._session
@@ -53 +54 @@
-        self.modified = self.modified or key in self._session
-        return self._session.pop(key, *args)
-
+    def clear(self):
+        self._session.clear()
+        self.modified = True
+
+    def destroy(self):
+        self._session.clear()
+        try:
+            # remove old session, may fail
+            self.delete(self._session_key)
+        except:
+            # ignore exceptions to guarantee session key reset
+            pass
+        self._session_key = self._get_new_session_key(safe=True)
+        self.modified = False
+        self.accessed = True
+        self.destroyed = True
+
-    def setdefault(self, key, value):
-        if key in self._session:
-            return self._session[key]
@@ -107 +125 @@
-    def iteritems(self):
-        return self._session.iteritems()
-
-
+, safe=False
-        "Returns session key that isn't being used."
-        # The random module is seeded when this Apache child is created.
-        # Use settings.SECRET_KEY as added salt.
@@ -119 +137 @@
-        while 1:
-            session_key = md5.new("%s%s%s%s" % (random.randint(0, sys.maxint - 1),
-                                  pid, time.time(), settings.SECRET_KEY)).hexdigest()
-
-
+
+
+
+
+
+
+
+
+
+
+
-        return session_key
-
-    def _get_session_key(self):

docs/sessions.txt

@@ -106 +106 @@
-
-    * ``setdefault()`` (**New in Django development version**)
-
+    * ``clear()`` (**New in Django development version**)
+
-It also has these methods:
-
+    * ``destroy()``
+
+      **New in Django development version**
+
+      Clears session data, deletes the old session from session storage and
+      creates a new empty session in exception-safe manner. This is the
+      recommended, safe way of resetting sessions on e.g. user logout.
+
-    * ``set_test_cookie()``
-
-      Sets a test cookie to determine whether the user's browser supports