def _make_session_id(self): # Generate a session ID, which is just the value of the session # cookie we are about to drop on the user. (It's also the key # used with the session manager mapping interface.) id = None while id is None or self.has_session(id): id = randbytes(8) # 64-bit random number return id
def _make_session_id(self): # Generate a session ID, which is just the value of the session # cookie we are about to drop on the user. (It's also the key # used with the session manager mapping interface.) id = None while id is None or self.has_session(id): id = randbytes(16) # 128-bit random number return id
def create_form_token(self): """() -> string Create a new form token and add it to a queue of outstanding form tokens for this session. A maximum of MAX_FORM_TOKENS are saved. The new token is returned. """ token = randbytes(8) self._form_tokens.append(token) extra = len(self._form_tokens) - self.MAX_FORM_TOKENS if extra > 0: del self._form_tokens[:extra] return token
def create_form_token(self): """() -> string Create a new form token and add it to a queue of outstanding form tokens for this session. A maximum of MAX_FORM_TOKENS are saved. The new token is returned. """ token = randbytes(16) self._form_tokens.append(token) extra = len(self._form_tokens) - self.MAX_FORM_TOKENS if extra > 0: del self._form_tokens[:extra] return token
def get_csrf_token(self): """Return a random token unique to the session. This is suitable for inclusion in forms as a hidden field in order to prevent CSRF attacks. When the form is submitted, the token must be checked using a constant time compare. The token should not be included in GET URLs as there is a greater risk of disclosure. Using a separate token provides some security benefits over re-using the session ID as a CSRF token. """ if self._csrf_token is None: self._csrf_token = randbytes(16) # 128-bit random number return self._csrf_token