def decrypt(self, request, sessionid): """ Avoid showing plain sessionids Optionally require that a referer exists and matches the whitelist, or reset the session """ if not sessionid: return '' (nonce, sessionid) = sessionid.split(':', 1) sessionid = self.xor(nonce, sessionid.decode('base64')) secret = self._secret(request) if self.settings.get('HOSTS', []): referer = request.META.get('HTTP_REFERER', 'None') if referer == 'None': # End session unless a referer is passed return '' url = urlparse(referer) if url.hostname not in self.settings['HOSTS']: err = '%s is unauthorised' % url.hostname raise Exception(err) session_key = crypt(secret, sessionid.decode('base64')) try: return unicode(session_key) except: return ''
def decrypt(self, request, sessionid): """ Avoid showing plain sessionids Optionally require that a referer exists and matches the whitelist, or reset the session """ if not sessionid: return '' (nonce,sessionid) = sessionid.split(':', 1) sessionid = self.xor(nonce, sessionid.decode('base64')) secret = self._secret(request) if self.settings.get('HOSTS', []): referer = request.META.get('HTTP_REFERER', 'None') if referer == 'None': # End session unless a referer is passed return '' url = urlparse(referer) if url.hostname not in self.settings['HOSTS']: err = '%s is unauthorised' % url.hostname raise Exception(err) session_key = crypt(secret, sessionid.decode('base64')) try: return unicode(session_key) except: return ''
def encrypt(self, request, sessionid): """ Avoid showing plain sessionids Use base64 - but strip the line return it adds """ if not sessionid: return '' secret = self._secret(request) session_key = crypt(secret, sessionid).encode('base64') nonce = self._random_string_generator(20) session_key = self.xor(nonce, session_key).encode('base64') if session_key.endswith("\n"): session_key = session_key[:-1] return "%s:%s" % (nonce, session_key)
def _secret(self, request): """ optionally make secret client or url dependent NB: Needs to be at least 16 characters so add secret to META data """ secret = self.secret specific = '' if self.settings.get('URL_SPECIFIC', False): specific += request.META.get('SERVER_NAME', '') specific += request.META.get('PATH_INFO', '') if self.settings.get('CLIENT_ID', False): specific += request.META.get('REMOTE_ADDR', '127.0.0.1') specific += request.META.get('HTTP_USER_AGENT', 'unknown browser') if specific: secret = crypt(secret, specific + self.secret) new_secret = '' # Grab ascii from the whole specific string for i in range(0, len(secret), int(len(secret) / 16)): try: new_secret += secret[i].encode('ascii') except: new_secret += secret[i].encode('base64')[0] secret = new_secret[:16] return secret
def _secret(self, request): """ optionally make secret client or url dependent NB: Needs to be at least 16 characters so add secret to META data """ secret = self.secret specific = '' if self.settings.get('URL_SPECIFIC', False): specific += request.META.get('SERVER_NAME', '') specific += request.META.get('PATH_INFO', '') if self.settings.get('CLIENT_ID', False): specific += request.META.get('REMOTE_ADDR', '127.0.0.1') specific += request.META.get('HTTP_USER_AGENT', 'unknown browser') if specific: secret = crypt(secret, specific + self.secret) new_secret = '' # Grab ascii from the whole specific string for i in range(0, len(secret), int(len(secret)/16)): try: new_secret += secret[i].encode('ascii') except: new_secret += secret[i].encode('base64')[0] secret = new_secret[:16] return secret