def _make_session_id(self):
# Generate a session ID, which is just the value of the session
# cookie we are about to drop on the user. (It's also the key
# used with the session manager mapping interface.)
id = None
while id is None or self.has_session(id):
id = randbytes(8) # 64-bit random number
return id
def _make_session_id(self):
# Generate a session ID, which is just the value of the session
# cookie we are about to drop on the user. (It's also the key
# used with the session manager mapping interface.)
id = None
while id is None or self.has_session(id):
id = randbytes(16) # 128-bit random number
return id
def create_form_token(self):
"""() -> string
Create a new form token and add it to a queue of outstanding form
tokens for this session. A maximum of MAX_FORM_TOKENS are saved.
The new token is returned.
"""
token = randbytes(8)
self._form_tokens.append(token)
extra = len(self._form_tokens) - self.MAX_FORM_TOKENS
if extra > 0:
del self._form_tokens[:extra]
return token
def create_form_token(self):
"""() -> string
Create a new form token and add it to a queue of outstanding form
tokens for this session. A maximum of MAX_FORM_TOKENS are saved.
The new token is returned.
"""
token = randbytes(16)
self._form_tokens.append(token)
extra = len(self._form_tokens) - self.MAX_FORM_TOKENS
if extra > 0:
del self._form_tokens[:extra]
return token
def get_csrf_token(self):
"""Return a random token unique to the session. This is
suitable for inclusion in forms as a hidden field in order
to prevent CSRF attacks. When the form is submitted, the
token must be checked using a constant time compare. The
token should not be included in GET URLs as there is a
greater risk of disclosure. Using a separate token provides
some security benefits over re-using the session ID as a
CSRF token.
"""
if self._csrf_token is None:
self._csrf_token = randbytes(16) # 128-bit random number
return self._csrf_token
