def GetUserID( cls, request ): """Gets the user ID associated to this request, if any.""" connection_cookie = request.cookie(cls.COOKIE_CONNECTION) if connection_cookie > 64: crypted = base64.decodestring(connection_cookie[64:]) user_id = crypt_decrypt(crypted, cls.CRYPT_KEY) if user_id != "anonymous": return user_id return None
def CreateSessionCookie( cls, request, userid="anonymous" ): """The session cookie is made of two part, separated by a `:`. The first part is a salted hash of the client's IP and user agent, the second one is an encrypted user id. This mechanism is definitely not very secure against cookie stealing, as if the attacker has the same IP and uses the same user agent he will be able to access this. """ # FIXME: Add userAgent as well is the first part address = str(request.clientIP()) + cls.COOKIE_CONNECTION_SALT # FIXME: UserId should be encrypted with some part of the request as well user_id = base64.encodestring(crypt_decrypt(str(userid), cls.CRYPT_KEY))[:-1] return hashlib.sha256(address).hexdigest() + str(user_id)
