def issue_aft_token():
"""
Issues a new antiforgery token to include in a page request.
If it doesn't exist in the request, sets a cookie in the response.
@param request
@returns {string} the newly defined
"""
# check if the session is defined inside the request
if not request.session:
raise Error("missing session inside the request object; use the AntiforgeryValidate after the membership provider")
encryption_key = request.session.guid
cookie_token = request.cookies.get(cookie_name)
new_token_defined = False
if not cookie_token:
#define a new token
cookie_token = uuid.uuid1()
new_token_defined = True
else:
can_decrypt, value = AesEncryptor.try_decrypt(cookie_token, encryption_key)
if not can_decrypt:
cookie_token = uuid.uuid1()
new_token_defined = True
else:
# use the same value of before
cookie_token = value
if new_token_defined:
cookie_token = str(cookie_token)
encrypted_token = AesEncryptor.encrypt(cookie_token, str(encryption_key))
# the cookie will be set in response object inside global_handlers function
request.set_aft_cookie = encrypted_token
# return the token encrypted with AES; many calls always return a different value
return AesEncryptor.encrypt(cookie_token, encryption_key)
def set_auth_cookie(response):
set_session_cookie = hasattr(request, "set_session_cookie")
unset_session_cookie = hasattr(request, "unset_session_cookie")
set_aft_cookie = hasattr(request, "set_aft_cookie")
if set_session_cookie:
session = request.session
session_guid = str(session.guid)
# encrypt:
session_token = AesEncryptor.encrypt(session_guid, ENCRYPTION_KEY)
response.set_cookie(session_cookie,
value=session_token,
expires=session.expiration,
httponly=True,
secure=SECURE_COOKIES)
if unset_session_cookie:
# instruct the browser to delete the session cookie
response.set_cookie(session_cookie, value="", expires=0)
if set_aft_cookie:
session = request.session
aft = request.set_aft_cookie
# set the cookie in the response
response.set_cookie("aftck",
value=aft,
expires=session.expiration,
httponly=True,
secure=SECURE_COOKIES)
# force XSS protection, otherwise it would be pointless to issue an antiforgery token
response.headers["X-Frame-Options"] = "SAMEORIGIN"
return response
def set_auth_cookie(response):
set_session_cookie = hasattr(request, "set_session_cookie")
unset_session_cookie = hasattr(request, "unset_session_cookie")
set_aft_cookie = hasattr(request, "set_aft_cookie")
if set_session_cookie:
session = request.session
session_guid = str(session.guid)
# encrypt:
session_token = AesEncryptor.encrypt(session_guid, ENCRYPTION_KEY)
response.set_cookie(session_cookie,
value=session_token,
expires=session.expiration,
httponly=True,
secure=SECURE_COOKIES)
if unset_session_cookie:
# instruct the browser to delete the session cookie
response.set_cookie(session_cookie, value="", expires=0)
if set_aft_cookie:
session = request.session
aft = request.set_aft_cookie
# set the cookie in the response
response.set_cookie("aftck",
value=aft,
expires=session.expiration,
httponly=True,
secure=SECURE_COOKIES)
# force XSS protection, otherwise it would be pointless to issue an antiforgery token
response.headers["X-Frame-Options"] = "SAMEORIGIN"
return response
async def initialize_anonymous_session(self, request: Request):
"""
Initializes an anonymous session for the given request.
:param request: incoming request to a resource that is related to this logical area.
"""
client_ip = self.get_client_ip(request)
result = await self.membership.initialize_anonymous_session(
client_ip, client_data=request.headers.get("User-Agent"))
# set a flag to set a session cookie
session = result.session
session_cookie_name = self.config.session_cookie_name
encryption_key = self.config.encryption_key
session_cookie_value = AesEncryptor.encrypt(str(session.guid),
encryption_key)
request.set_session_cookie = True
request.cookies_to_set.append(
CookieToken(session_cookie_name,
session_cookie_value,
httponly=True,
secure=self.secure_cookies))
# store user and session information in the request object
request.user = result.principal
request.session = session
def issue_aft(request):
"""
Issues a new session based antiforgery token.
This solution implements the double token strategy: the same antiforgery token is serialized twice,
hence producing two different encrypted strings. One is set as response cookie; one is returned to be rendered
inside the html view.
"""
# check if the session is defined inside the request
if not hasattr(request, "session"):
# missing session context; use the AntiforgeryValidate after the membership provider
raise ValueError("missing session context")
encryption_key = str(request.session.guid)
cookie_token = request.cookies.get(cookie_name)
if not cookie_token:
#define a new token
cookie_token = uuid.uuid1()
else:
can_decrypt, value = AesEncryptor.try_decrypt(cookie_token,
encryption_key)
if not can_decrypt:
cookie_token = uuid.uuid1()
else:
# use the same value of before
cookie_token = value
# will set a new cookie in the response object
cookie_token = str(cookie_token)
encrypted_token = AesEncryptor.encrypt(cookie_token, encryption_key)
# the cookie will be set in response object inside global_handlers function
request.cookies_to_set.append(
CookieToken(cookie_name,
encrypted_token.decode("utf-8"),
httponly=True,
secure=configuration.secure_cookies))
# return the token encrypted with AES; many calls always return a different value
v = AesEncryptor.encrypt(cookie_token, encryption_key)
return v.decode("utf-8")
