Ticket #5549: ticket_5549__rev_6814.diff

File ticket_5549__rev_6814.diff, 4.1 KB (added by __hawkeye__, 8 years ago)

Goes beyond #6081.

  • django/contrib/sessions/models.py

     
    1 import os
    2 import sys
    3 import time
    4 import datetime
    5 import base64
    6 import md5
    7 import random
    8 import cPickle as pickle
    9 
    101from django.db import models
    112from django.utils.translation import ugettext_lazy as _
    12 from django.conf import settings
    133
    14 class SessionManager(models.Manager):
    15     def encode(self, session_dict):
    16         "Returns the given session dictionary pickled and encoded as a string."
    17         pickled = pickle.dumps(session_dict)
    18         pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()
    19         return base64.encodestring(pickled + pickled_md5)
    20 
    21     def save(self, session_key, session_dict, expire_date):
    22         s = self.model(session_key, self.encode(session_dict), expire_date)
    23         if session_dict:
    24             s.save()
    25         else:
    26             s.delete() # Clear sessions with no data.
    27         return s
    28 
    294class Session(models.Model):
    305    """
    31     Django provides full support for anonymous sessions. The session
    32     framework lets you store and retrieve arbitrary data on a
    33     per-site-visitor basis. It stores data on the server side and
    34     abstracts the sending and receiving of cookies. Cookies contain a
    35     session ID -- not the data itself.
     6    Saves sessions in database.
    367
    37     The Django sessions framework is entirely cookie-based. It does
    38     not fall back to putting session IDs in URLs. This is an intentional
    39     design decision. Not only does that behavior make URLs ugly, it makes
    40     your site vulnerable to session-ID theft via the "Referer" header.
     8    Not for direct usage, please use SessionStore class
     9    in django.contrib.sessions.backends.db module to access sessions.
    4110
    4211    For complete documentation on using Sessions in your code, consult
    4312    the sessions documentation that is shipped with Django (also available
     
    4615    session_key = models.CharField(_('session key'), max_length=40, primary_key=True)
    4716    session_data = models.TextField(_('session data'))
    4817    expire_date = models.DateTimeField(_('expire date'))
    49     objects = SessionManager()
    5018
    5119    class Meta:
    5220        db_table = 'django_session'
    5321        verbose_name = _('session')
    5422        verbose_name_plural = _('sessions')
    55 
    56     def get_decoded(self):
    57         encoded_data = base64.decodestring(self.session_data)
    58         pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
    59         if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
    60             from django.core.exceptions import SuspiciousOperation
    61             raise SuspiciousOperation, "User tampered with session cookie."
    62         try:
    63             return pickle.loads(pickled)
    64         # Unpickling can cause a variety of exceptions. If something happens,
    65         # just return an empty dictionary (an empty session).
    66         except:
    67             return {}
  • docs/sessions.txt

     
    202202    >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
    203203    >>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10)
    204204    >>> s['last_login']
    205     datetime.datetime(2005, 8, 20, 13, 35, 0)
     205    datetime.datetime(2005, 8, 20, 13, 35, 10)
    206206    >>> s.save()
    207207
    208208If you're using the ``django.contrib.sessions.backends.db`` backend, each
     
    215215    >>> s.expire_date
    216216    datetime.datetime(2005, 8, 20, 13, 35, 12)
    217217
    218 Note that you'll need to call ``get_decoded()`` to get the session dictionary.
     218Note that you'll need to use the ``SessionStore`` class
     219in ``django.contrib.sessions.backends.db`` to get the session dictionary.
    219220This is necessary because the dictionary is stored in an encoded format::
    220221
    221222    >>> s.session_data
    222223    'KGRwMQpTJ19hdXRoX3VzZXJfaWQnCnAyCkkxCnMuMTExY2ZjODI2Yj...'
    223     >>> s.get_decoded()
    224     {'user_id': 42}
    225224
    226225When sessions are saved
    227226=======================
Back to Top