def cookies_guess(self, request, response, pathmatch):
"""Controller for number guesser using cookies."""
try: # access guessed number from form
guess = int(request.params['guess'])
except (KeyError, ValueError):
guess = -1
try: # access state values from cookie
num = int(request.cookies['number'])
count = int(request.cookies['count'])
except KeyError: # no cookie
num = 0
count = 0
# make model object (new or from cookie values)
g = GuessNumberModel(num, count)
newmsg = 'Neue Nummer generiert!' if num == 0 else ''
# evaluate guess
(found, msg) = g.guess(guess)
if found: # correct guess. Destroy cookies
cookie_num = Cookie("number", g.num, expires=Cookie.expiry_date(-1))
cookie_count = Cookie("count", 0, expires=Cookie.expiry_date(-1))
else: # create new cookies
cookie_num = Cookie("number", g.num)
cookie_count = Cookie("count", g.count)
# send cookies
response.add_cookie(cookie_num)
response.add_cookie(cookie_count)
d = {'msg': msg, 'newmsg': newmsg, 'cnt': g.count+1,
'variant': 'Cookies', 'hidden': ''}
response.send_template('show.tmpl', d)
def process_request(self, request, response):
"""Every POST request must present a valid CSRF token."""
if not hasattr(request, 'session'):
raise Exception("CSRF middleware needs sessions and must be registered after session middleware.")
if 'csrf_token' not in request.session:
# we do have a session but not csrf token yet
request.session['csrf_token'] = uuid4().hex # generate random token
request.session['csrf_input'] = "<input type=hidden name='csrf_token' value='{}'>".format(request.session['csrf_token'])
# add csrf token as cookie
# we do this for javascript code that needs to access the token to construct ajax post requests
# this is not insecure because we don't check if the cookie was delivered but a parameter
# an attacker cannot access the cookie content
response.add_cookie(Cookie('csrf_token', request.session['csrf_token']))
# if we have a POST request, then a proper crsf token must be present
# this also works for login because anonymous users get a session, too
if request.method.upper() == "POST":
if 'csrf_token' not in request.params or request.params['csrf_token'] != request.session['csrf_token']:
raise StopProcessing(403, "Invalid or missing CSRF token.")
def make_delete_cookie(self):
"""Returns Cookie object to delete cookie"""
return Cookie(self.cookiename,
'',
path='/',
expires=Cookie.expiry_date(-1))
def make_cookie(self):
"""Returns Cookie object for session id"""
return Cookie(self.cookiename, self.sessid, path='/')