Ticket #16199: 16199.5.diff

new file django/contrib/sessions/backends/cookies.py

@@ +1 @@
+import zlib
+try:
+    import cPickle as pickle
+except ImportError:
+    import pickle
+
+from django.conf import settings
+from django.core import signing
+from django.utils.encoding import smart_str
+
+from django.contrib.sessions.backends.base import SessionBase
+
+
+class SessionStore(SessionBase):
+    salt = 'django.contrib.sessions.backends.cookies'
+
+    def load(self):
+        """
+        We load the data from the key itself instead of fetching from
+        some external data store. Opposite of _get_session_key(),
+        raises BadSignature if signature fails.
+        """
+        signer = signing.TimestampSigner(salt=self.salt)
+        try:
+            base64d = signer.unsign(
+                self._session_key, max_age=settings.SESSION_COOKIE_AGE)
+            pickled = signing.b64_decode(smart_str(base64d))
+            return pickle.loads(zlib.decompress(pickled))
+        except (signing.BadSignature, ValueError):
+            self.create()
+            return {}
+
+    def create(self):
+        """
+        To create a new key, we simply make sure that the modified flag is set
+        so that the cookie is set on the client for the current request.
+        """
+        self.modified = True
+
+    def save(self):
+        """
+        To save, we get the session key as a securely signed string and then
+        set the modified flag so that the cookie is set on the client for the
+        current request.
+        """
+        self._session_key = self._get_session_key()
+        self.modified = True
+
+    def exists(self, session_key=None):
+        """
+        This method makes sense when you're talking to a shared resource, but
+        it doesn't matter when you're storing the information in the client's
+        cookie.
+        """
+        return False
+
+    def delete(self, session_key=None):
+        """
+        To delete, we clear the session key and the underlying data structure
+        and set the modified flag so that the cookie is set on the client for
+        the current request.
+        """
+        self._session_key = ''
+        self._session_cache = {}
+        self.modified = True
+
+    def cycle_key(self):
+        """
+        Keeps the same data but with a new key.  To do this, we just have to
+        call ``save()`` and it will automatically save a cookie with a new key
+        at the end of the request.
+        """
+        self.save()
+
+    def _get_session_key(self):
+        """
+        Most session backends don't need to override this method, but we do,
+        because instead of generating a random string, we want to actually
+        generate a secure url-safe Base64-encoded string of data as our
+        session key.
+        """
+        payload = getattr(self, '_session_cache', {})
+        pickled = pickle.dumps(payload, pickle.HIGHEST_PROTOCOL)
+        base64d = signing.b64_encode(zlib.compress(pickled))
+        return signing.TimestampSigner(salt=self.salt).sign(base64d)
+
+    def _set_session_key(self, session_key):
+        self._session_key = session_key
+
+    session_key = property(_get_session_key, _set_session_key)

django/contrib/sessions/tests.py

@@ -7 +7 @@
 from django.contrib.sessions.backends.cache import SessionStore as CacheSession
 from django.contrib.sessions.backends.cached_db import SessionStore as CacheDBSession
 from django.contrib.sessions.backends.file import SessionStore as FileSession
+from django.contrib.sessions.backends.cookies import SessionStore as CookieSession
 from django.contrib.sessions.models import Session
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation
 from django.http import HttpResponse
 from django.test import TestCase, RequestFactory
+from django.test.utils import override_settings
 from django.utils import unittest
 
 
@@ -214 +216 @@
         # Tests get_expire_at_browser_close with different settings and different
         # set_expiry calls
         try:
-            try:
-                original_expire_at_browser_close = settings.SESSION_EXPIRE_AT_BROWSER_CLOSE
-                settings.SESSION_EXPIRE_AT_BROWSER_CLOSE = False
-
+            with override_settings(SESSION_EXPIRE_AT_BROWSER_CLOSE=False):
                 self.session.set_expiry(10)
                 self.assertFalse(self.session.get_expire_at_browser_close())
 
@@ -227 +226 @@
                 self.session.set_expiry(None)
                 self.assertFalse(self.session.get_expire_at_browser_close())
 
-                settings.SESSION_EXPIRE_AT_BROWSER_CLOSE = True
-
+            with override_settings(SESSION_EXPIRE_AT_BROWSER_CLOSE=True):
                 self.session.set_expiry(10)
                 self.assertFalse(self.session.get_expire_at_browser_close())
 
@@ -237 +235 @@
 
                 self.session.set_expiry(None)
                 self.assertTrue(self.session.get_expire_at_browser_close())
-
-            except:
-                raise
-        finally:
-            settings.SESSION_EXPIRE_AT_BROWSER_CLOSE = original_expire_at_browser_close
+        except:
+            raise
 
     def test_decode(self):
         # Ensure we can decode what we encode
@@ -302 +297 @@
         shutil.rmtree(self.temp_session_store)
         super(FileSessionTests, self).tearDown()
 
+    @override_settings(
+        SESSION_FILE_PATH="/if/this/directory/exists/you/have/a/weird/computer")
     def test_configuration_check(self):
         # Make sure the file backend checks for a good storage dir
-        settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
         self.assertRaises(ImproperlyConfigured, self.backend)
 
     def test_invalid_key_backslash(self):
@@ -324 +320 @@
 
 
 class SessionMiddlewareTests(unittest.TestCase):
-    def setUp(self):
-        self.old_SESSION_COOKIE_SECURE = settings.SESSION_COOKIE_SECURE
-        self.old_SESSION_COOKIE_HTTPONLY = settings.SESSION_COOKIE_HTTPONLY
-
-    def tearDown(self):
-        settings.SESSION_COOKIE_SECURE = self.old_SESSION_COOKIE_SECURE
-        settings.SESSION_COOKIE_HTTPONLY = self.old_SESSION_COOKIE_HTTPONLY
 
+    @override_settings(SESSION_COOKIE_SECURE=True)
     def test_secure_session_cookie(self):
-        settings.SESSION_COOKIE_SECURE = True
-
         request = RequestFactory().get('/')
         response = HttpResponse('Session test')
         middleware = SessionMiddleware()
@@ -347 +335 @@
         response = middleware.process_response(request, response)
         self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['secure'])
 
+    @override_settings(SESSION_COOKIE_HTTPONLY=True)
     def test_httponly_session_cookie(self):
-        settings.SESSION_COOKIE_HTTPONLY = True
-
         request = RequestFactory().get('/')
         response = HttpResponse('Session test')
         middleware = SessionMiddleware()
@@ -361 +348 @@
         # Handle the response through the middleware
         response = middleware.process_response(request, response)
         self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
+
+
+class CookieSessionTests(SessionTestsMixin, TestCase):
+
+    backend = CookieSession
+
+    def test_save(self):
+        """
+        This test tested exists() in the other session backends, but that
+        doesn't make sense for us.
+        """
+        pass

django/core/signing.py

@@ -161 +161 @@
     def __init__(self, *args, **kwargs):
         self.time_func = kwargs.pop('time', time.time)
         super(TimestampSigner, self).__init__(*args, **kwargs)
-    
+
     def timestamp(self):
         return baseconv.base62.encode(int(self.time_func() * 10000))
 

docs/topics/http/sessions.txt

@@ -95 +95 @@
 control where Django stores session files. Be sure to check that your Web
 server has permissions to read and write to this location.
 
+Using cookie-based sessions
+---------------------------
+
+.. versionadded:: 1.4
+
+To use cookies-based sessions, set the :setting:`SESSION_ENGINE` setting to
+``"django.contrib.sessions.backends.cookies"``. The session data will be
+stored using Django's tools for :doc:`cryptographic signing </topics/signing>`
+and the :setting:`SECRET_KEY` setting. It's recommended to set the
+:setting:`SESSION_COOKIE_HTTPONLY` to ``True`` to prevent tampering from
+JavaScript.
+
+.. warning::
+
+    The session data is **signed but not encrypted**!
+
+    When using the cookies backend the session data can be read out
+    and will be invalidated when being tampered with. The same invalidation
+    happens if the client storing the cookie (e.g. your user's browser)
+    can't store all of the session cookie and drops data. Even though
+    Django compresses the data before it's still entirely possible to
+    exceed the `common limit of 4096 bytes`_ per cookie.
+
+    Also, the size of a cookie can have an impact on the `speed of your site`_.
+
+.. _`common limit of 4096 bytes`: http://tools.ietf.org/html/rfc2965#section-5.3
+.. _`speed of your site`: http://yuiblog.com/blog/2007/03/01/performance-research-part-3/
 
 Using sessions in views
 =======================
@@ -420 +447 @@
     * ``'django.contrib.sessions.backends.file'``
     * ``'django.contrib.sessions.backends.cache'``
     * ``'django.contrib.sessions.backends.cached_db'``
+    * ``'django.contrib.sessions.backends.cookies'``
 
 See `configuring the session engine`_ for more details.