def logout(): # Is there a destination post-logout? dsturl = None if request.referrer and local_request(request.referrer): dsturl = request.referrer else: dsturl = None # End the session in the database already_logged_out = False if 'li' in session: ses = db.session result = ses.execute( text("SELECT ret, col, msg FROM aaa.logout(:sid) AS (ret BOOL, col TEXT, msg TEXT)", bindparams=[bindparam('sid', session['i'])])) ses.commit() # For now, don't test the result of the logout call. Regardless of # whether or not a user provides us with a valid session ID from the # wrong IP address, terminate the session. Shoot first, ask questions # later (i.e. why was a BadUser in posession of GoodUser's session # ID?!) else: already_logged_out = True # Nuke every key in the session for k in session.keys(): session.pop(k) # Set a flash message after we nuke the keys in session if already_logged_out: flash('Session cleared for logged out user') else: flash('You were logged out') return render_template('aaa/logout.html', dsturl=dsturl)
def fixup_destination_url(src_param_name, dst_param_name): """ Saves the destination URL tagged as a URL parameter or in the session and moves it over to a local session variable. Useful when you want to capture the last value of something, but a user could possibly walk off. """ local_dsturl = None if src_param_name in session: # SecureCookie sessions are tamper proof, supposedly. Don't need to # check if its a trusted parameter. local_dsturl = session.pop(src_param_name) elif src_param_name in request.args and local_request(request.args[src_param_name]): # Request parameters are spoofable, always check and only accept # trusted arguments. local_dsturl = request.args[src_param_name] # Return if nothing was found in the arguments if not local_dsturl: return False else: # If something was found, remove our destination session.pop(dst_param_name, None) for suffix in LOGIN_SUFFIX_BLACKLIST: # XXX: This should be a bit more sophisticated and use a # regex that ignores query parameters. if local_dsturl.endswith(suffix) and LOGIN_SUFFIX_BLACKLIST[suffix]: local_dsturl = None break if local_dsturl: session[dst_param_name] = local_dsturl return True
def fixup_destination_url(src_param_name, dst_param_name): """ Saves the destination URL tagged as a URL parameter or in the session and moves it over to a local session variable. Useful when you want to capture the last value of something, but a user could possibly walk off. """ local_dsturl = None if src_param_name in session: # SecureCookie sessions are tamper proof, supposedly. Don't need to # check if its a trusted parameter. local_dsturl = session.pop(src_param_name) elif src_param_name in request.args and local_request( request.args[src_param_name]): # Request parameters are spoofable, always check and only accept # trusted arguments. local_dsturl = request.args[src_param_name] # Return if nothing was found in the arguments if not local_dsturl: return False else: # If something was found, remove our destination session.pop(dst_param_name, None) for suffix in LOGIN_SUFFIX_BLACKLIST: # XXX: This should be a bit more sophisticated and use a # regex that ignores query parameters. if local_dsturl.endswith(suffix) and LOGIN_SUFFIX_BLACKLIST[suffix]: local_dsturl = None break if local_dsturl: session[dst_param_name] = local_dsturl return True
def logout(): # Is there a destination post-logout? dsturl = None if request.referrer and local_request(request.referrer): dsturl = request.referrer else: dsturl = None # End the session in the database already_logged_out = False if 'li' in session: ses = db.session result = ses.execute( text( "SELECT ret, col, msg FROM aaa.logout(:sid) AS (ret BOOL, col TEXT, msg TEXT)", bindparams=[bindparam('sid', session['i'])])) ses.commit() # For now, don't test the result of the logout call. Regardless of # whether or not a user provides us with a valid session ID from the # wrong IP address, terminate the session. Shoot first, ask questions # later (i.e. why was a BadUser in posession of GoodUser's session # ID?!) else: already_logged_out = True # Nuke every key in the session for k in session.keys(): session.pop(k) # Set a flash message after we nuke the keys in session if already_logged_out: flash('Session cleared for logged out user') else: flash('You were logged out') return render_template('aaa/logout.html', dsturl=dsturl)