Ticket #5549: ticket_5549__rev_6814.diff

django/contrib/sessions/models.py

@@ -1 @@
-import os
-import sys
-import time
-import datetime
-import base64
-import md5
-import random
-import cPickle as pickle
-
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
-from django.conf import settings
 
-class SessionManager(models.Manager):
-    def encode(self, session_dict):
-        "Returns the given session dictionary pickled and encoded as a string."
-        pickled = pickle.dumps(session_dict)
-        pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()
-        return base64.encodestring(pickled + pickled_md5)
-
-    def save(self, session_key, session_dict, expire_date):
-        s = self.model(session_key, self.encode(session_dict), expire_date)
-        if session_dict:
-            s.save()
-        else:
-            s.delete() # Clear sessions with no data.
-        return s
-
 class Session(models.Model):
     """
-    Django provides full support for anonymous sessions. The session
-    framework lets you store and retrieve arbitrary data on a
-    per-site-visitor basis. It stores data on the server side and
-    abstracts the sending and receiving of cookies. Cookies contain a
-    session ID -- not the data itself.
+    Saves sessions in database.
 
-    The Django sessions framework is entirely cookie-based. It does
-    not fall back to putting session IDs in URLs. This is an intentional
-    design decision. Not only does that behavior make URLs ugly, it makes
-    your site vulnerable to session-ID theft via the "Referer" header.
+    Not for direct usage, please use SessionStore class
+    in django.contrib.sessions.backends.db module to access sessions.
 
     For complete documentation on using Sessions in your code, consult
     the sessions documentation that is shipped with Django (also available
@@ -46 +15 @@
     session_key = models.CharField(_('session key'), max_length=40, primary_key=True)
     session_data = models.TextField(_('session data'))
     expire_date = models.DateTimeField(_('expire date'))
-    objects = SessionManager()
 
     class Meta:
         db_table = 'django_session'
         verbose_name = _('session')
         verbose_name_plural = _('sessions')
-
-    def get_decoded(self):
-        encoded_data = base64.decodestring(self.session_data)
-        pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
-        if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
-            from django.core.exceptions import SuspiciousOperation
-            raise SuspiciousOperation, "User tampered with session cookie."
-        try:
-            return pickle.loads(pickled)
-        # Unpickling can cause a variety of exceptions. If something happens,
-        # just return an empty dictionary (an empty session).
-        except:
-            return {}

docs/sessions.txt

@@ -202 +202 @@
     >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
     >>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10)
     >>> s['last_login']
-    datetime.datetime(2005, 8, 20, 13, 35, 0)
+    datetime.datetime(2005, 8, 20, 13, 35, 10)
     >>> s.save()
 
 If you're using the ``django.contrib.sessions.backends.db`` backend, each
@@ -215 +215 @@
     >>> s.expire_date
     datetime.datetime(2005, 8, 20, 13, 35, 12)
 
-Note that you'll need to call ``get_decoded()`` to get the session dictionary.
+Note that you'll need to use the ``SessionStore`` class
+in ``django.contrib.sessions.backends.db`` to get the session dictionary.
 This is necessary because the dictionary is stored in an encoded format::
 
     >>> s.session_data
     'KGRwMQpTJ19hdXRoX3VzZXJfaWQnCnAyCkkxCnMuMTExY2ZjODI2Yj...'
-    >>> s.get_decoded()
-    {'user_id': 42}
 
 When sessions are saved
 =======================