def __init__(self):
""" Add regex for auto inserts and an instance of
the standard django.contrib.sessions middleware
"""
self.settings = getattr(settings, 'COOKIELESS', DEFAULT_SETTINGS)
self._re_links = re.compile(LINKS_RE, re.I)
self._re_forms = re.compile('</form>', re.I)
self._re_body = re.compile('</body>', re.I)
self._sesh = CryptSession()
self.standard_session = SessionMiddleware()
self.engine = import_module(settings.SESSION_ENGINE)
def setUp(self):
""" Turn of HOSTS check and setup reusable attributes """
self.settings = getattr(settings, 'COOKIELESS', DEFAULT_SETTINGS)
self.settings['HOSTS'] = []
self.browser = Client()
self.browser.request()
self.engine = import_module(settings.SESSION_ENGINE)
self.crypt_sesh = CryptSession()
self.factory = RequestFactory()
self.skey = settings.SESSION_COOKIE_NAME
# This is a bit crap - because matching is fragile and also its
# reused to split up and grab the session id - TODO: replace with regex
self.hidden = '<input type="hidden" name="%s" value="' % self.skey
def my_function_view(request):
""" Test function view with manually constructed sesh url """
request.session['funcview'] = 'my_function_view'
html = "<html><body><h1>Function view</h1>"
html += '<p><a href="/?%s=%s">Class view</a></p><hr />'
html = html % CryptSession().key_tuple(request)
html += session_data(request) + '</body></html>'
return HttpResponse(html)
class CryptTestCase(unittest.TestCase):
"""
Check the session id encryption is working OK
"""
# urls = 'django-cookieless.test_urls'
def setUp(self):
""" Get a session and a crypt_session """
self.settings = getattr(settings, "COOKIELESS", DEFAULT_SETTINGS)
self.engine = import_module(settings.SESSION_ENGINE)
self.crypt_sesh = CryptSession()
self.factory = RequestFactory()
def crypt_ok(self, request=None):
""" Check encryption works with various settings """
if not request:
request = self.factory.get("/")
session = self.engine.SessionStore()
session.create()
self.assertNotEqual(session.session_key, None)
sessionid = self.crypt_sesh.encrypt(request, session.session_key)
session_key = self.crypt_sesh.decrypt(request, sessionid)
return session.session_key, session_key
def test_default(self):
self.settings["CLIENT_ID"] = False
self.settings["HOSTS"] = []
keys = self.crypt_ok()
self.assertEqual(*keys)
def test_client_id(self):
self.settings["CLIENT_ID"] = False
self.settings["HOSTS"] = []
keys = self.crypt_ok()
self.assertEqual(*keys)
def test_hosts_check(self):
self.settings["CLIENT_ID"] = False
request = self.factory.get("/")
request.META["HTTP_REFERER"] = "http://localhost:12345/foobar"
settings.COOKIELESS_HOSTS = ["localhost"]
keys = self.crypt_ok(request)
self.assertEqual(*keys)
class CryptTestCase(unittest.TestCase):
"""
Check the session id encryption is working OK
"""
# urls = 'django-cookieless.test_urls'
def setUp(self):
""" Get a session and a crypt_session """
self.settings = getattr(settings, 'COOKIELESS', DEFAULT_SETTINGS)
self.engine = import_module(settings.SESSION_ENGINE)
self.crypt_sesh = CryptSession()
self.factory = RequestFactory()
def crypt_ok(self, request=None):
""" Check encryption works with various settings """
if not request:
request = self.factory.get('/')
session = self.engine.SessionStore()
session.create()
self.assertNotEqual(session.session_key, None)
sessionid = self.crypt_sesh.encrypt(request, session.session_key)
session_key = self.crypt_sesh.decrypt(request, sessionid)
return session.session_key, session_key
def test_default(self):
self.settings['CLIENT_ID'] = False
self.settings['HOSTS'] = []
keys = self.crypt_ok()
self.assertEqual(*keys)
def test_client_id(self):
self.settings['CLIENT_ID'] = False
self.settings['HOSTS'] = []
keys = self.crypt_ok()
self.assertEqual(*keys)
def test_hosts_check(self):
self.settings['CLIENT_ID'] = False
request = self.factory.get('/')
request.META['HTTP_REFERER'] = 'http://localhost:12345/foobar'
settings.COOKIELESS_HOSTS = ['localhost', ]
keys = self.crypt_ok(request)
self.assertEqual(*keys)
class BaseSessionNode(template.Node):
def __init__(self,):
self.request_var = template.Variable("request")
self._sesh = CryptSession()
def get_key(self, context):
request = self.request_var.resolve(context)
if request.session.session_key:
return self._sesh.encrypt(request, request.session.session_key)
else:
return ""
class BaseSessionNode(template.Node):
def __init__(self, ):
self.request_var = template.Variable('request')
self._sesh = CryptSession()
def get_key(self, context):
request = self.request_var.resolve(context)
if request.session.session_key:
return self._sesh.encrypt(request, request.session.session_key)
else:
return ''
def setUp(self):
""" Turn of HOSTS check and setup reusable attributes """
self.settings = getattr(settings, 'COOKIELESS', DEFAULT_SETTINGS)
self.settings['HOSTS'] = []
self.browser = Client()
self.browser.request()
self.engine = import_module(settings.SESSION_ENGINE)
self.crypt_sesh = CryptSession()
self.factory = RequestFactory()
self.skey = settings.SESSION_COOKIE_NAME
# This is a bit crap - because matching is fragile and also its
# reused to split up and grab the session id - TODO: replace with regex
self.hidden = '<input type="hidden" name="%s" value="' % self.skey
def __init__(self, get_response=None):
""" Add regex for auto inserts and an instance of
the standard django.contrib.sessions middleware
"""
self.settings = getattr(settings, "COOKIELESS", DEFAULT_SETTINGS)
self._re_links = re.compile(LINKS_RE, re.I)
self._re_forms = re.compile("</form>", re.I)
self._re_body = re.compile("</body>", re.I)
self._sesh = CryptSession()
self.standard_session = SessionMiddleware()
self.get_response = get_response
engine = import_module(settings.SESSION_ENGINE)
self.SessionStore = engine.SessionStore
class BaseFuncTestCase(TestCase):
"""
Utitlity methods to pull stuff out of session etc.
"""
def setUp(self):
""" Turn of HOSTS check and setup reusable attributes """
self.settings = getattr(settings, 'COOKIELESS', DEFAULT_SETTINGS)
self.settings['HOSTS'] = []
self.browser = Client()
self.browser.request()
self.engine = import_module(settings.SESSION_ENGINE)
self.crypt_sesh = CryptSession()
self.factory = RequestFactory()
self.skey = settings.SESSION_COOKIE_NAME
# This is a bit crap - because matching is fragile and also its
# reused to split up and grab the session id - TODO: replace with regex
self.hidden = '<input type="hidden" name="%s" value="' % self.skey
def get_session(self, response, url='/', agent='unknown browser'):
""" Extract id from response and retrieve session """
# post or get
parts = ''
if not response.content:
print 'RESPONSE FAILED: %s' % response.__class__
if response.content.find(self.hidden) > -1:
splitter = self.hidden
else:
splitter = '%s=' % self.skey
parts = response.content.split(splitter, 1)
session_key = ''
if len(parts) > 1:
parts = parts[1].split('"', 1)
session_id = parts[0]
request = self.factory.get(url,
REMOTE_ADDR='127.0.0.1',
HTTP_USER_AGENT=agent)
try:
session_key = self.crypt_sesh.decrypt(request, session_id)
except:
# Silently start new session in case fake session_id format causes error
pass
else:
session_id = ''
try:
session = self.engine.SessionStore(session_key)
except:
session = self.engine.SessionStore()
return session, session_id
class BaseFuncTestCase(TestCase):
"""
Utitlity methods to pull stuff out of session etc.
"""
def setUp(self):
""" Turn of HOSTS check and setup reusable attributes """
self.settings = getattr(settings, 'COOKIELESS', DEFAULT_SETTINGS)
self.settings['HOSTS'] = []
self.browser = Client()
self.browser.request()
self.engine = import_module(settings.SESSION_ENGINE)
self.crypt_sesh = CryptSession()
self.factory = RequestFactory()
self.skey = settings.SESSION_COOKIE_NAME
# This is a bit crap - because matching is fragile and also its
# reused to split up and grab the session id - TODO: replace with regex
self.hidden = '<input type="hidden" name="%s" value="' % self.skey
def get_session(self, response, url='/', agent='unknown browser'):
""" Extract id from response and retrieve session """
# post or get
parts = ''
if not response.content:
print 'RESPONSE FAILED: %s' % response.__class__
if response.content.find(self.hidden) > -1:
splitter = self.hidden
else:
splitter = '%s=' % self.skey
parts = response.content.split(splitter, 1)
session_key = ''
if len(parts) > 1:
parts = parts[1].split('"', 1)
session_id = parts[0]
request = self.factory.get(url, REMOTE_ADDR='127.0.0.1',
HTTP_USER_AGENT=agent)
try:
session_key = self.crypt_sesh.decrypt(request, session_id)
except:
# Silently start new session in case fake session_id format causes error
pass
else:
session_id = ''
try:
session = self.engine.SessionStore(session_key)
except:
session = self.engine.SessionStore()
return session, session_id
def __init__(self,):
self.request_var = template.Variable("request")
self._sesh = CryptSession()
def setUp(self):
""" Get a session and a crypt_session """
self.settings = getattr(settings, 'COOKIELESS', DEFAULT_SETTINGS)
self.engine = import_module(settings.SESSION_ENGINE)
self.crypt_sesh = CryptSession()
self.factory = RequestFactory()
def __init__(self, ):
self.request_var = template.Variable('request')
self._sesh = CryptSession()
class CookielessSessionMiddleware(object):
""" Django snippets julio carlos and Ivscar
http://djangosnippets.org/snippets/1540/
Plus django.session.middleware combined
Install by replacing
'django.contrib.sessions.middleware.SessionMiddleware'
with 'cookieless.middleware.CookielessSessionMiddleware'
NB: Remember only decorated methods are cookieless
cookieless sessions get the no_cookies = True key added
"""
def __init__(self):
""" Add regex for auto inserts and an instance of
the standard django.contrib.sessions middleware
"""
self.settings = getattr(settings, 'COOKIELESS', DEFAULT_SETTINGS)
self._re_links = re.compile(LINKS_RE, re.I)
self._re_forms = re.compile('</form>', re.I)
self._re_body = re.compile('</body>', re.I)
self._sesh = CryptSession()
self.standard_session = SessionMiddleware()
self.engine = import_module(settings.SESSION_ENGINE)
def process_request(self, request):
""" Check if we have the session key from a cookie,
if not check post, and get if allowed
If decryption fails
(ie secret is wrong because of other setting restrictions)
decrypt may not return a real key so
test for that and start a new session if so
NB: Use resolve to check view for no_cookies
- because its before view is processed
"""
name = settings.SESSION_COOKIE_NAME
session_key = ''
match = resolve(request.path)
no_cookies = False
if match and getattr(match.func, 'no_cookies', False):
no_cookies = True
if request.POST:
session_key = self._sesh.decrypt(request,
request.POST.get(name, None))
if not session_key and self.settings.get('USE_GET', False):
session_key = self._sesh.decrypt(request,
request.GET.get(name, ''))
else:
session_key = request.COOKIES.get(name, '')
try:
request.session = self.engine.SessionStore(session_key)
except:
pass
# NB: engine may work but return empty key less session
try:
session_key = request.session.session_key
except:
session_key = ''
# If the session_key isn't tied to a session - create a new one
if not session_key:
request.session = self.engine.SessionStore()
if no_cookies:
request.session['no_cookies'] = True
# Flag it here so we can send created session signal
# with data later on in process_response
request.session['created_cookieless'] = True
request.session.save()
def process_response(self, request, response):
"""
Copied from contrib.session.middleware with no_cookies switch added ...
If request.session was modified, or if the configuration is to save the
session every time, save the changes and set a session cookie.
NB: request.COOKIES are the sent ones and response.cookies the set ones!
"""
if getattr(request, 'no_cookies', False):
if request.COOKIES:
if self.settings.get('NO_COOKIE_PERSIST', False):
# Don't persist a session with cookieless for any session
# thats been set against a cookie
# - may be attached to a user - so always start a new separate one
cookie_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME, '')
if cookie_key == request.session.session_key:
request.session = self.engine.SessionStore()
request.session['no_cookies'] = True
request.session['created_cookieless'] = True
request.session.save()
if self.settings.get('DELETE_COOKIES', False):
# Blat any existing cookies
for key in request.COOKIES.keys():
response.delete_cookie(key)
# Dont set any new cookies
if hasattr(response, 'cookies'):
response.cookies.clear()
# cookieless - do same as standard process response
# but dont set the cookie
if self.settings.get('REWRITE', False):
response = self.nocookies_response(request, response)
# Check for created flag for signal and turn off
created = request.session.get('created_cookieless', False)
if created:
request.session['created_cookieless'] = False
try:
# accessed = request.session.accessed
modified = request.session.modified
except AttributeError:
pass
else:
if modified or settings.SESSION_SAVE_EVERY_REQUEST:
try:
# Save the session data
request.session.save()
except:
# Ensure all keys are strings - required by move to JSON serializer with 1.6
for key in request.session.keys():
if type(key) not in (type(''), type(u'')):
request.session[str(key)] = str(request.session[key])
del request.session[key]
#elif type(value) not in (type(''), type(u''), type(True)):
# request.session[key] = str(request.session[key])
request.session.save()
cookieless_signal.send(sender=request, created=created)
return response
else:
return self.standard_session.process_response(request, response)
def nocookies_response(self, request, response):
""" Option to rewrite forms and urls to add session automatically """
name = settings.SESSION_COOKIE_NAME
session_key = ''
if request.session.session_key and \
not request.path.startswith(self.settings.get('EXCLUDE_DIR', '/admin')):
session_key = self._sesh.encrypt(request, request.session.session_key)
if self.settings.get('USE_GET', False) and session_key:
if type(response) is HttpResponseRedirect:
host = request.META.get('HTTP_HOST', 'localhost')
redirect_url = [x[1] for x in response.items() if x[0] == "Location"][0]
if redirect_url.find(host) > -1:
redirect_url = self._sesh.prepare_url(redirect_url)
return HttpResponseRedirect('%s%s=%s' % (redirect_url, name,
session_key))
else:
return HttpResponseRedirect(redirect_url)
def new_url(match):
anchor_value = ""
if match.groupdict().get("anchor"):
anchor_value = match.groupdict().get("anchor")
return_str = '<a%shref="%s%s=%s%s"%s>' % (
match.groupdict()['pre_href'],
self._sesh.prepare_url(match.groupdict()['in_href']),
name,
session_key,
anchor_value,
match.groupdict()['post_href']
)
return return_str
if self.settings.get('USE_GET', False):
try:
response.content = self._re_links.sub(new_url, response.content)
except:
pass
# Check in case response has already got a manual session_id inserted
repl_form = '<input type="hidden" name="%s"' % name
if hasattr(response, 'content') and response.content.find(repl_form) == -1:
repl_form = '''%s value="%s" />
</form>''' % (repl_form, session_key)
try:
response.content = self._re_forms.sub(repl_form, response.content)
except:
pass
return response
else:
return response
