def logout():
# Is there a destination post-logout?
dsturl = None
if request.referrer and local_request(request.referrer):
dsturl = request.referrer
else:
dsturl = None
# End the session in the database
already_logged_out = False
if 'li' in session:
ses = db.session
result = ses.execute(
text("SELECT ret, col, msg FROM aaa.logout(:sid) AS (ret BOOL, col TEXT, msg TEXT)",
bindparams=[bindparam('sid', session['i'])]))
ses.commit()
# For now, don't test the result of the logout call. Regardless of
# whether or not a user provides us with a valid session ID from the
# wrong IP address, terminate the session. Shoot first, ask questions
# later (i.e. why was a BadUser in posession of GoodUser's session
# ID?!)
else:
already_logged_out = True
# Nuke every key in the session
for k in session.keys():
session.pop(k)
# Set a flash message after we nuke the keys in session
if already_logged_out:
flash('Session cleared for logged out user')
else:
flash('You were logged out')
return render_template('aaa/logout.html', dsturl=dsturl)
def fixup_destination_url(src_param_name, dst_param_name):
""" Saves the destination URL tagged as a URL parameter or in the session and
moves it over to a local session variable. Useful when you want to
capture the last value of something, but a user could possibly walk
off. """
local_dsturl = None
if src_param_name in session:
# SecureCookie sessions are tamper proof, supposedly. Don't need to
# check if its a trusted parameter.
local_dsturl = session.pop(src_param_name)
elif src_param_name in request.args and local_request(request.args[src_param_name]):
# Request parameters are spoofable, always check and only accept
# trusted arguments.
local_dsturl = request.args[src_param_name]
# Return if nothing was found in the arguments
if not local_dsturl:
return False
else:
# If something was found, remove our destination
session.pop(dst_param_name, None)
for suffix in LOGIN_SUFFIX_BLACKLIST:
# XXX: This should be a bit more sophisticated and use a
# regex that ignores query parameters.
if local_dsturl.endswith(suffix) and LOGIN_SUFFIX_BLACKLIST[suffix]:
local_dsturl = None
break
if local_dsturl:
session[dst_param_name] = local_dsturl
return True
def fixup_destination_url(src_param_name, dst_param_name):
""" Saves the destination URL tagged as a URL parameter or in the session and
moves it over to a local session variable. Useful when you want to
capture the last value of something, but a user could possibly walk
off. """
local_dsturl = None
if src_param_name in session:
# SecureCookie sessions are tamper proof, supposedly. Don't need to
# check if its a trusted parameter.
local_dsturl = session.pop(src_param_name)
elif src_param_name in request.args and local_request(
request.args[src_param_name]):
# Request parameters are spoofable, always check and only accept
# trusted arguments.
local_dsturl = request.args[src_param_name]
# Return if nothing was found in the arguments
if not local_dsturl:
return False
else:
# If something was found, remove our destination
session.pop(dst_param_name, None)
for suffix in LOGIN_SUFFIX_BLACKLIST:
# XXX: This should be a bit more sophisticated and use a
# regex that ignores query parameters.
if local_dsturl.endswith(suffix) and LOGIN_SUFFIX_BLACKLIST[suffix]:
local_dsturl = None
break
if local_dsturl:
session[dst_param_name] = local_dsturl
return True
def logout():
# Is there a destination post-logout?
dsturl = None
if request.referrer and local_request(request.referrer):
dsturl = request.referrer
else:
dsturl = None
# End the session in the database
already_logged_out = False
if 'li' in session:
ses = db.session
result = ses.execute(
text(
"SELECT ret, col, msg FROM aaa.logout(:sid) AS (ret BOOL, col TEXT, msg TEXT)",
bindparams=[bindparam('sid', session['i'])]))
ses.commit()
# For now, don't test the result of the logout call. Regardless of
# whether or not a user provides us with a valid session ID from the
# wrong IP address, terminate the session. Shoot first, ask questions
# later (i.e. why was a BadUser in posession of GoodUser's session
# ID?!)
else:
already_logged_out = True
# Nuke every key in the session
for k in session.keys():
session.pop(k)
# Set a flash message after we nuke the keys in session
if already_logged_out:
flash('Session cleared for logged out user')
else:
flash('You were logged out')
return render_template('aaa/logout.html', dsturl=dsturl)
