def issue_aft_token(): """ Issues a new antiforgery token to include in a page request. If it doesn't exist in the request, sets a cookie in the response. @param request @returns {string} the newly defined """ # check if the session is defined inside the request if not request.session: raise Error("missing session inside the request object; use the AntiforgeryValidate after the membership provider") encryption_key = request.session.guid cookie_token = request.cookies.get(cookie_name) new_token_defined = False if not cookie_token: #define a new token cookie_token = uuid.uuid1() new_token_defined = True else: can_decrypt, value = AesEncryptor.try_decrypt(cookie_token, encryption_key) if not can_decrypt: cookie_token = uuid.uuid1() new_token_defined = True else: # use the same value of before cookie_token = value if new_token_defined: cookie_token = str(cookie_token) encrypted_token = AesEncryptor.encrypt(cookie_token, str(encryption_key)) # the cookie will be set in response object inside global_handlers function request.set_aft_cookie = encrypted_token # return the token encrypted with AES; many calls always return a different value return AesEncryptor.encrypt(cookie_token, encryption_key)
def set_auth_cookie(response): set_session_cookie = hasattr(request, "set_session_cookie") unset_session_cookie = hasattr(request, "unset_session_cookie") set_aft_cookie = hasattr(request, "set_aft_cookie") if set_session_cookie: session = request.session session_guid = str(session.guid) # encrypt: session_token = AesEncryptor.encrypt(session_guid, ENCRYPTION_KEY) response.set_cookie(session_cookie, value=session_token, expires=session.expiration, httponly=True, secure=SECURE_COOKIES) if unset_session_cookie: # instruct the browser to delete the session cookie response.set_cookie(session_cookie, value="", expires=0) if set_aft_cookie: session = request.session aft = request.set_aft_cookie # set the cookie in the response response.set_cookie("aftck", value=aft, expires=session.expiration, httponly=True, secure=SECURE_COOKIES) # force XSS protection, otherwise it would be pointless to issue an antiforgery token response.headers["X-Frame-Options"] = "SAMEORIGIN" return response
def set_auth_cookie(response): set_session_cookie = hasattr(request, "set_session_cookie") unset_session_cookie = hasattr(request, "unset_session_cookie") set_aft_cookie = hasattr(request, "set_aft_cookie") if set_session_cookie: session = request.session session_guid = str(session.guid) # encrypt: session_token = AesEncryptor.encrypt(session_guid, ENCRYPTION_KEY) response.set_cookie(session_cookie, value=session_token, expires=session.expiration, httponly=True, secure=SECURE_COOKIES) if unset_session_cookie: # instruct the browser to delete the session cookie response.set_cookie(session_cookie, value="", expires=0) if set_aft_cookie: session = request.session aft = request.set_aft_cookie # set the cookie in the response response.set_cookie("aftck", value=aft, expires=session.expiration, httponly=True, secure=SECURE_COOKIES) # force XSS protection, otherwise it would be pointless to issue an antiforgery token response.headers["X-Frame-Options"] = "SAMEORIGIN" return response
async def initialize_anonymous_session(self, request: Request): """ Initializes an anonymous session for the given request. :param request: incoming request to a resource that is related to this logical area. """ client_ip = self.get_client_ip(request) result = await self.membership.initialize_anonymous_session( client_ip, client_data=request.headers.get("User-Agent")) # set a flag to set a session cookie session = result.session session_cookie_name = self.config.session_cookie_name encryption_key = self.config.encryption_key session_cookie_value = AesEncryptor.encrypt(str(session.guid), encryption_key) request.set_session_cookie = True request.cookies_to_set.append( CookieToken(session_cookie_name, session_cookie_value, httponly=True, secure=self.secure_cookies)) # store user and session information in the request object request.user = result.principal request.session = session
def issue_aft(request): """ Issues a new session based antiforgery token. This solution implements the double token strategy: the same antiforgery token is serialized twice, hence producing two different encrypted strings. One is set as response cookie; one is returned to be rendered inside the html view. """ # check if the session is defined inside the request if not hasattr(request, "session"): # missing session context; use the AntiforgeryValidate after the membership provider raise ValueError("missing session context") encryption_key = str(request.session.guid) cookie_token = request.cookies.get(cookie_name) if not cookie_token: #define a new token cookie_token = uuid.uuid1() else: can_decrypt, value = AesEncryptor.try_decrypt(cookie_token, encryption_key) if not can_decrypt: cookie_token = uuid.uuid1() else: # use the same value of before cookie_token = value # will set a new cookie in the response object cookie_token = str(cookie_token) encrypted_token = AesEncryptor.encrypt(cookie_token, encryption_key) # the cookie will be set in response object inside global_handlers function request.cookies_to_set.append( CookieToken(cookie_name, encrypted_token.decode("utf-8"), httponly=True, secure=configuration.secure_cookies)) # return the token encrypted with AES; many calls always return a different value v = AesEncryptor.encrypt(cookie_token, encryption_key) return v.decode("utf-8")