def open_session(self, app, request): sid = request.cookies.get(app.session_cookie_name) if not sid: sid = self._generate_sid() return self.session_class(sid=sid, permanent=self.permanent) if self.use_signer: signer = self._get_signer(app) if signer is None: return None try: sid_as_bytes = signer.unsign(sid) sid = sid_as_bytes.decode() except BadSignature: sid = self._generate_sid() return self.session_class(sid=sid, permanent=self.permanent) store_id = self.key_prefix + sid document = self.store.find_one({'id': store_id}) if document: expiration = document.get('expiration') if expiration and expiration <= datetime.utcnow(): # Delete expired session self.store.remove({'id': store_id}) document = None if document is not None: try: val = document['val'] data = self.serializer.loads(want_bytes(val)) return self.session_class(data, sid=sid) except: return self.session_class(sid=sid, permanent=self.permanent) return self.session_class(sid=sid, permanent=self.permanent)
def __init__(self, app=None): if app is None: app = flask.current_app bits = app.config.get('SESSION_KEY_BITS', self.uid_bits) if not 64 <= bits <= 256: raise ValueError('SESSION_KEY_BITS must be between 64 and 256!') uid_bytes = bits // 8 + (bits % 8 > 0) sid_bytes = self.sid_bits // 8 key = want_bytes(app.secret_key) self._hmac = hmac.new(hmac.digest(key, b'SESSION_UID_HASH', digest='sha256'), digestmod='sha256') self._uid_len = uid_bytes self._uid_b64 = len(self._encode(bytes(uid_bytes))) self._sid_len = sid_bytes self._sid_b64 = len(self._encode(bytes(sid_bytes))) self._key_min = self._uid_b64 + self._sid_b64 self._key_max = self._key_min + len( self._encode(bytes(self.time_bits // 8)))
def save_session(self, app, session, response): domain = self.get_cookie_domain(app) path = self.get_cookie_path(app) store_id = self.key_prefix + session.sid if not session: if session.modified: self.store.remove({'id': store_id}) response.delete_cookie(app.session_cookie_name, domain=domain, path=path) return httponly = self.get_cookie_httponly(app) secure = self.get_cookie_secure(app) expires = self.get_expiration_time(app, session) val = self.serializer.dumps(dict(session)) self.store.update_one({'id': store_id}, {"$set": { 'val': val, 'expiration': expires }}, True) if self.use_signer: session_id = self._get_signer(app).sign(want_bytes(session.sid)) else: session_id = session.sid response.set_cookie(app.session_cookie_name, session_id, expires=expires, httponly=httponly, domain=domain, path=path, secure=secure)
def save_session(self, app, session, response): domain = self.get_cookie_domain(app) path = self.get_cookie_path(app) if not session: if session.modified: self.cache.delete(self.key_prefix + session.sid) response.delete_cookie(app.session_cookie_name, domain=domain, path=path) return httponly = self.get_cookie_httponly(app) secure = self.get_cookie_secure(app) expires = self.get_expiration_time(app, session) data = dict(session) self.cache.set(self.key_prefix + session.sid, data, total_seconds(app.permanent_session_lifetime)) if self.use_signer: session_id = self._get_signer(app).sign(want_bytes(session.sid)) else: session_id = session.sid response.set_cookie(app.session_cookie_name, session_id, expires=expires, httponly=httponly, domain=domain, path=path, secure=secure)
def save_session(self, app, session, response): domain = self.get_cookie_domain(app) path = self.get_cookie_path(app) full_session_key = self._encode_key( self.key_prefix) + self._encode_key(session.sid) if not session: if session.modified: self.client.delete(full_session_key) response.delete_cookie(app.session_cookie_name, domain=domain, path=path) return httponly = self.get_cookie_httponly(app) secure = self.get_cookie_secure(app) expires = self.get_expiration_time(app, session) if not PY2: val = self.serializer.dumps(dict(session)) else: val = self.serializer.dumps(dict(session)) self.client.set( full_session_key, val, self._get_memcache_timeout( total_seconds(app.permanent_session_lifetime))) if self.use_signer: session_id = self._get_signer(app).sign(want_bytes(session.sid)) else: session_id = session.sid response.set_cookie(app.session_cookie_name, session_id, expires=expires, httponly=httponly, domain=domain, path=path, secure=secure)
def open_session(self, app, request): sid = request.cookies.get(app.session_cookie_name) if not sid: sid = self._generate_sid() return self.session_class(sid=sid, permanent=self.permanent) if self.use_signer: signer = self._get_signer(app) if signer is None: return None try: sid_as_bytes = signer.unsign(sid) sid = sid_as_bytes.decode() except BadSignature: sid = self._generate_sid() return self.session_class(sid=sid, permanent=self.permanent) full_session_key = self._encode_key( self.key_prefix) + self._encode_key(sid) val = self.client.get(full_session_key) if val is not None: try: if not PY2: val = want_bytes(val) data = self.serializer.loads(val) return self.session_class(data, sid=sid) except: return self.session_class(sid=sid, permanent=self.permanent) return self.session_class(sid=sid, permanent=self.permanent)
def open_session(self, app, request): sid = request.cookies.get(app.session_cookie_name) if not sid: sid = self._generate_sid() return self.session_class(sid=sid, permanent=self.permanent) if self.use_signer: signer = self._get_signer(app) if signer is None: return None try: sid_as_bytes = signer.unsign(sid) sid = sid_as_bytes.decode() except BadSignature: sid = self._generate_sid() return self.session_class(sid=sid, permanent=self.permanent) store_id = self.key_prefix + sid saved_session = self.sql_session_model.query.filter_by( session_id=store_id).first() if saved_session and saved_session.expiry <= datetime.utcnow(): # Delete expired session self.db.session.delete(saved_session) self.db.session.commit() saved_session = None if saved_session: try: val = saved_session.data data = self.serializer.loads(want_bytes(val)) return self.session_class(data, sid=sid) except: return self.session_class(sid=sid, permanent=self.permanent) return self.session_class(sid=sid, permanent=self.permanent)
def __init__(self, key=None, app=None): self.app = app or flask.current_app initial = None key = want_bytes(key) if parsed := self.app.session_config.parse_key(key, self.app): try: initial = pickle.loads(app.session_store.get(key)) except (KeyError, EOFError, pickle.UnpicklingError): # either the cookie was manipulated or we did not find the # session in the backend or the pickled data is invalid. # => start new session pass else: (self._uid, self._sid, self._created) = parsed self._key = key
def save_session(self, app, session, response): domain = self.get_cookie_domain(app) path = self.get_cookie_path(app) if not session: if session.modified: self.client.delete_item( TableName=self.table_name, Key={'SessionId': { 'S': self.key_prefix + session.sid }}) response.delete_cookie(app.session_cookie_name, domain=domain, path=path) return httponly = self.get_cookie_httponly(app) secure = self.get_cookie_secure(app) expires = self.get_expiration_time(app, session) val = self.serializer.dumps(dict(session)) self.client.put_item(TableName=self.table_name, Item={ 'SessionId': { 'S': self.key_prefix + session.sid }, 'Session': { 'S': val } }) if self.use_signer: session_id = self._get_signer(app).sign(want_bytes(session.sid)) else: session_id = session.sid response.set_cookie(app.session_cookie_name, session_id, expires=expires, httponly=httponly, domain=domain, path=path, secure=secure)
def save_session(self, app, session, response): domain = self.get_cookie_domain(app) path = self.get_cookie_path(app) store_id = self.key_prefix + session.sid saved_session = self.sql_session_model.query.filter_by( session_id=store_id).first() if not session: if session.modified: if saved_session: self.db.session.delete(saved_session) self.db.session.commit() response.delete_cookie(app.session_cookie_name, domain=domain, path=path) return httponly = self.get_cookie_httponly(app) secure = self.get_cookie_secure(app) expires = self.get_expiration_time(app, session) val = self.serializer.dumps(dict(session)) if saved_session: saved_session.data = val saved_session.expiry = expires self.db.session.commit() else: new_session = self.sql_session_model(store_id, val, expires) self.db.session.add(new_session) self.db.session.commit() if self.use_signer: session_id = self._get_signer(app).sign(want_bytes(session.sid)) else: session_id = session.sid response.set_cookie(app.session_cookie_name, session_id, expires=expires, httponly=httponly, domain=domain, path=path, secure=secure)
def save_session(self, app, session, response): domain = self.get_cookie_domain(app) path = self.get_cookie_path(app) if not session: if session.modified: self.redis.delete(self.key_prefix + session.sid) response.delete_cookie(app.session_cookie_name, domain=domain, path=path) return # Modification case. There are upsides and downsides to # emitting a set-cookie header each request. The behavior # is controlled by the :meth:`should_set_cookie` method # which performs a quick check to figure out if the cookie # should be set or not. This is controlled by the # SESSION_REFRESH_EACH_REQUEST config flag as well as # the permanent flag on the session itself. # if not self.should_set_cookie(app, session): # return httponly = self.get_cookie_httponly(app) secure = self.get_cookie_secure(app) expires = self.get_expiration_time(app, session) val = self.serializer.dumps(dict(session)) self.redis.setex(name=self.key_prefix + session.sid, value=val, time=total_seconds(app.permanent_session_lifetime)) if self.use_signer: session_id = self._get_signer(app).sign(want_bytes(session.sid)) else: session_id = session.sid response.set_cookie(app.session_cookie_name, session_id, expires=expires, httponly=httponly, domain=domain, path=path, secure=secure)
def test_base64(value): enc = base64_encode(value) assert isinstance(enc, bytes) dec = base64_decode(enc) assert dec == want_bytes(value)
def test_want_bytes(value): out = want_bytes(value) assert isinstance(out, bytes)
def gen_uid(self, uid): """ Generate hashed user id part of session key. """ _hmac = self._hmac.copy() _hmac.update(want_bytes(uid)) return self._encode(_hmac.digest()[:self._uid_len])