Ejemplo n.º 1
0
    def cookies_guess(self, request, response, pathmatch):
        """Controller for number guesser using cookies."""

        try:  # access guessed number from form
            guess = int(request.params['guess'])
        except (KeyError, ValueError):
            guess = -1

        try:  # access state values from cookie
            num = int(request.cookies['number'])
            count = int(request.cookies['count'])
        except KeyError:  # no cookie
            num = 0
            count = 0

        # make model object (new or from cookie values)
        g = GuessNumberModel(num, count)
        newmsg = 'Neue Nummer generiert!' if num == 0 else ''

        # evaluate guess
        (found, msg) = g.guess(guess)
        if found:  # correct guess. Destroy cookies
            cookie_num = Cookie("number", g.num, expires=Cookie.expiry_date(-1))
            cookie_count = Cookie("count", 0, expires=Cookie.expiry_date(-1))
        else:  # create new cookies
            cookie_num = Cookie("number", g.num)
            cookie_count = Cookie("count", g.count)

        # send cookies
        response.add_cookie(cookie_num)
        response.add_cookie(cookie_count)
        d = {'msg': msg, 'newmsg': newmsg, 'cnt': g.count+1,
             'variant': 'Cookies', 'hidden': ''}
        response.send_template('show.tmpl', d)
Ejemplo n.º 2
0
    def process_request(self, request, response):
        """Every POST request must present a valid CSRF token."""

        if not hasattr(request, 'session'):
            raise Exception("CSRF middleware needs sessions and must be registered after session middleware.")

        if 'csrf_token' not in request.session:
            # we do have a session but not csrf token yet
            request.session['csrf_token'] = uuid4().hex  # generate random token
            request.session['csrf_input'] = "<input type=hidden name='csrf_token' value='{}'>".format(request.session['csrf_token'])

        # add csrf token as cookie
        # we do this for javascript code that needs to access the token to construct ajax post requests
        # this is not insecure because we don't check if the cookie was delivered but a parameter
        # an attacker cannot access the cookie content
        response.add_cookie(Cookie('csrf_token', request.session['csrf_token']))

        # if we have a POST request, then a proper crsf token must be present
        # this also works for login because anonymous users get a session, too
        if request.method.upper() == "POST":
            if 'csrf_token' not in request.params or request.params['csrf_token'] != request.session['csrf_token']:
                raise StopProcessing(403, "Invalid or missing CSRF token.")
Ejemplo n.º 3
0
 def make_delete_cookie(self):
     """Returns Cookie object to delete cookie"""
     return Cookie(self.cookiename,
                   '',
                   path='/',
                   expires=Cookie.expiry_date(-1))
Ejemplo n.º 4
0
 def make_cookie(self):
     """Returns Cookie object for session id"""
     return Cookie(self.cookiename, self.sessid, path='/')