def get_session_id(self): cookiestring = "\n".join(self.headers.get_all('Cookie',failobj=[])) c = cookie() c.load(cookiestring) if 'session_id' in c: return c['session_id'].value return None
def _session_cookie(self, game_name,forcenew=False): cookiestring = "\n".join(self.headers.get_all('Cookie',failobj=[])) c = cookie() c.load(cookiestring) c['session_id']=int(uuid.uuid1().int) self.sessioncookies[int(c['session_id'].value)] = game_name self.boards[int(c['session_id'].value)] = [[0, 0, 0], [0, 0, 0], [0, 0, 0]] return c['session_id'].value
def get_session_id(self): cookiestring = "\n".join(self.headers.get_all('Cookie', failobj=[])) c = cookie() c.load(cookiestring) if 'session_id' in c: return c['session_id'].value return None
def _session_cookie(self,forcenew=False): cookiestring = "\n".join(self.headers.get_all('Cookie',failobj=[])) c = cookie() c.load(cookiestring) try: if forcenew or self.sessioncookies[c['session_id'].value]-time() > 3600: raise ValueError('new cookie needed') except: c['session_id']=uuid().hex for m in c: if m=='session_id': self.sessioncookies[c[m].value] = time() c[m]["httponly"] = True c[m]["max-age"] = 3600 c[m]["expires"] = self.date_time_string(time()+3600) self.sessionidmorsel = c[m] break
def _session_cookie(self, forcenew=False): cookiestring = "\n".join(self.headers.get_all('Cookie',failobj=[])) c = cookie() c.load(cookiestring) try: if forcenew or time.time() - int(self.sessioncookies[c['session_id'].value]) > self.SESSION_MAX_AGE: raise ValueError('new cookie needed') except: # 用uuid随机生成session id c['session_id'] = uuid.uuid4().hex for m in c: if m == 'session_id': c[m]["httponly"] = True c[m]["max-age"] = self.SESSION_MAX_AGE c[m]["expires"] = self.date_time_string(time.time() + self.SESSION_MAX_AGE) self.sessioncookies[c[m].value] = time.time() self.sessionidmorsel = c[m] break return c['session_id'].value
def _session_cookie(self, forcenew=False): cookiestring = "\n".join(self.headers.get_all('Cookie', failobj=[])) c = cookie() c.load(cookiestring) try: if forcenew or time.time() - int(self.sessioncookies[ c['session_id'].value]) > self.SESSION_MAX_AGE: raise ValueError('new cookie needed') except: # 用uuid随机生成session id c['session_id'] = uuid.uuid4().hex for m in c: if m == 'session_id': c[m]["httponly"] = True c[m]["max-age"] = self.SESSION_MAX_AGE c[m]["expires"] = self.date_time_string(time.time() + self.SESSION_MAX_AGE) self.sessioncookies[c[m].value] = time.time() self.sessionidmorsel = c[m] break return c['session_id'].value
def _session_cookie(self, s, forcenew=False): new_cookie = False cookiestring = "\n".join(s.headers.get_all('Cookie', failobj=[])) c = cookie() c.load(cookiestring) #clear old session_id's self.sessioncookies = { k: v for k, v in self.sessioncookies.items() if time.time() - v < SESSION_TIMEOUT } common = self.sessioncookies.keys() & self.userdata.keys() self.userdata = {k: v for k, v in self.userdata.items() if k in common} try: if forcenew or time.time() - self.sessioncookies[ c['aog_session_id'].value] > SESSION_TIMEOUT: raise ValueError('new cookie needed') except: new_cookie = True c['aog_session_id'] = uuid.uuid4().hex self.userdata[c['aog_session_id'].value] = {} for m in c: if m == 'aog_session_id': self.sessioncookies[c[m].value] = time.time() c[m]["httponly"] = True c[m]["max-age"] = SESSION_TIMEOUT c[m]["expires"] = s.date_time_string(time.time() + SESSION_TIMEOUT) self.sessionid = c[m].value return (new_cookie, c[m]) return (new_cookie, None)
def do_ACTION(self, action, hostname=None): vars_ = DAOObject() if self.useSSL: vars_.scheme = HTTPS else: vars_.scheme = HTTP setattrs(vars_, time=time.time(), path=urlparse(self.path), ipaddress=self.ipaddress, browser="unknown", country_code=self.country_code, session_id=None, device_id=None, isajax=False, language="en", allowcompression=False) self.transvars = DAOObject() # process appvars if (vars_.path.query != None) and (vars_.path.query != ""): splititems_ = vars_.path.query.split("&") if (len(splititems_) > 0): for splititem_ in splititems_: parts_ = splititem_.split("=") if (len(parts_) > 1): if (parts_[0] in ["format", "position", "pretty"]): if (parts_[0] == "format"): vars_.output = parts_[1] elif (parts_[0] == "position"): vars_.positionid = parts_[1] elif (parts_[0] == "pretty"): vars_.pretty = parts_[1] else: vars_.__setattr__(parts_[0], parts_[1]) try: headerKeys_ = self.headers.keys() for key_ in headerKeys_: vars_.__setattr__(key_, self.headers.get(key_)) # If the service is not using SSL, then perform a HTTP redirect to the SSL side... if (vars_.session_id == "null"): vars_.session_id = None if (vars_.device_id == None) or (vars_.device_id == "null"): vars_.device_id = self.uniqueId # check encoding allows for compression if (vars_.AcceptEncoding != None): encodingoptions_ = vars_.AcceptEncoding.split(",") for option_ in encodingoptions_: if option_[0:1:] == " ": option_ = option_[1:].lower() if "deflate" in option_: vars_.allowcompression = True # check some headers of course (page headers of course) if (vars_.AcceptLanguage != None): vars_.language = self.detectLocale(vars_.AcceptLanguage) # recover session etc. information if available from cookie !! if (vars_.session_id == None): cookiestring_ = "\n".join( self.headers.get_all('Cookie', failobj=[])) cookiein_ = cookie() cookiein_.load(cookiestring_) for m_ in cookiein_: if (m_ in COOKYMAP.keys()): vars_.__setattr__(COOKYMAP[m_], cookiein_[m_].value) # is this an ajax call? if (vars_.http_x_requested_with == AJAX_TOKEN) or (vars_.xrequestedwith == AJAX_TOKEN): referer = vars_.referer if (referer != None) and (self.CONFIG.CROSS_CHECK != None): if (referer.lower().find(self.CONFIG.CROSS_CHECK)) != -1: vars_.isajax = True else: self.log(( "Attempt to cross-script access from the service.. %s " % referer)) self.send_error(HTTP_FORBIDDEN, RESPONSE_ACCESS_DENIED) self.close_connection = 1 return # check useragent for allowing access... if (vars_.useragent != None): vars_.useragent = vars_.useragent.lower() for agent_ in AUTOBLOCK_USERAGENTS: if (vars_.useragent.find(agent_) != -1): self.send_error(HTTP_FORBIDDEN, RESPONSE_ACCESS_DENIED) self.close_connection = 1 return for agent_ in ALLOWED_USERAGENTS: if (vars_.useragent.find(agent_) != -1): vars_.browser = agent_ break except Exception as inst: self.logException(inst) self.send_error(HTTP_FORBIDDEN, RESPONSE_ACCESS_DENIED) self.close_connection = 1 return routefound_ = None if (action in [HTTP_ACTION_GATEWAY]): if (vars_.contentlength != None): length_ = int(vars_.contentlength) if (length_ > 0): postData_ = self.rfile.read(length_) encoded_ = postData_.decode(UTF8) dict_ = json.loads(encoded_) if (dict_ != None) and ("actions" in dict_.keys()): actionsFound_ = dict_["actions"] if (len(actionsFound_) == 1): gatewayAction_ = actionsFound_[0] action_ = gatewayAction_["action"] content_ = None params_ = DAOObject(gatewayAction_["data"]) if ("content" in gatewayAction_.keys()): content_ = gatewayAction_["content"] routefound_ = self.CONTROLLERS.routes.match( action_, HTTP_ACTION_GATEWAY) if (routefound_ != None): if (routefound_.vars_ == None): routefound_.vars_ = {} routefound_.vars_.update({ "params": params_, "content": content_ }) else: routefound_ = self.CONTROLLERS.routes.match( vars_.path.path, action) if (routefound_ == None): self.log(("Route invalid - %s:%s" % (action, vars_.path.path))) else: permissionsreq_ = routefound_.auth # get extended information (like permissions and user info etc) session_ = None # do session binding !! if (not routefound_.tracksession): vars_.session_id = NO_TRACK session_ = self.SESSIONS.noTrackSession if (permissionsreq_ != None): self.log(( "cannot execute permission check on a non-authenticated connection" ), "warn") self.send_error(HTTP_FORBIDDEN, RESPONSE_ACCESS_DENIED) self.close_connection = 1 return else: if (vars_.session_id != None): current_ = re.findall(SESSIONPARSER, vars_.session_id) if (len(current_) > 0): session_ = self.SESSIONS.sessionForId(vars_.session_id) if (session_ == None): vars_.session_id = None # reset session with a new one ! else: self.log( ("Spoofing sessionid - %s" % (vars_.session_id)), "session") self.close_connection = 1 return if (session_ != None) and (session_.id_session == None): vars_.session_id = None if (vars_.session_id == None): session_ = self.SESSIONS.newSession( self.ipaddress, vars_.language, vars_.browser, vars_.useragent, self.country_code) vars_.session_id = session_.id_session if (session_.lang == None): session_.lang = vars_.language # Authenticate the connection (if not done already) if (session_.username == None): if (vars_.authorization != None): success_, username_, permissions_ = self.AUTHENTICATION.check( vars_.authorization) if (success_): session_.username = username_ session_.permissions = permissions_ else: self.send_error(HTTP_FORBIDDEN, RESPONSE_ACCESS_DENIED) self.close_connection = 1 return else: if (self.CONFIG.REQUIRE_AUTH == 1): if (self.CONFIG.PROMPT_AUTH == 1): # use the browser default authentication process if (vars_.authorization == None): self.send_response(401) self.send_header("WWW-Authenticate", "Basic") self.end_headers() self.close_connection = 1 return self.send_error(HTTP_FORBIDDEN, RESPONSE_ACCESS_DENIED) self.close_connection = 1 return # check permission set... if (permissionsreq_ != None): success_ = False if (session_.permissions != None): for permissionreq_ in permissionsreq_: if permissionreq_ in session_.permissions: success_ = True break if (not success_): self.log( ("Method not allowed (%s)" % (routefound_.function))) self.send_error(HTTP_METHOD_NOT_ALLOWED, RESPONSE_NO_PERMISSIONS) self.close_connection = 1 return # if the connection is invalid return state 400 if (session_ != None): controller_ = None postData_ = None contentout_ = None response_ = None function_ = None format_ = None exitcode_ = HTTP_OK length_ = 0 try: # ignore postdata if the request is a get/delete etc... if ((routefound_ != None) and (routefound_.controller != None)): if (action not in [ HTTP_ACTION_GET, HTTP_ACTION_DELETE, HTTP_ACTION_GATEWAY ]): if (vars_.contentlength != None): length_ = int(vars_.contentlength) if (length_ > 0): if (vars_.allowcompression): rawData_ = self.rfile.read(length_) postData_ = zlib.decompress(rawData_) else: postData_ = self.rfile.read(length_) module_ = self.CONTROLLERS.controllerForId( routefound_.controller) if (module_ != None): class_ = getattr(module_, routefound_.controller) controller_ = class_(self, session_, vars_.path.query, vars_.isajax) if (routefound_.function): function_ = getattr(controller_, routefound_.function) # no data to post ! if (function_ != None): if (routefound_.vars != None) and (len( routefound_.vars) > 0): response_ = function_(postData_, vars_, **routefound_.vars) else: response_ = function_(postData_, vars_) if (response_ != None): exitcode_ = response_.response format_ = response_.mimetype else: exitcode_ = HTTP_NO_CONTENT if (exitcode_ != HTTP_OK) and (exitcode_ != HTTP_NO_CONTENT): self.log(("Request failed - %s:%s" % (action, vars_.path.path))) else: self.log( ("%s | %s" % (routefound_.function, routefound_.vars))) except Exception as inst: self.logException(inst) finally: if (controller_ == None) or (response_ == None): exitcode_ = HTTP_PAGE_DOES_NOT_EXIST # now render the result if (response_ != None): modifiedsince_ = None if (vars_.ifmodifiedsince != None): modifiedsince_ = vars_.ifmodifiedsince now_ = time.time() expires_ = now_ + 2419200 sendcontent_ = 1 compress_ = response_.compressed if (exitcode_ == HTTP_OK): contentout_ = self.reformat(response_.content, format_) dataout_ = contentout_ if (not response_.isbinary): if (dataout_ != None): if (format_ in TEXT_TYPES): dataout_ = bytes(contentout_, UTF8) if (dataout_ != None) and (not response_.compressed) and ( vars_.allowcompression): compress_ = True dataout_ = zlib.compress(dataout_) response_.content = dataout_ sendcookies_ = False if (format_ in [ TYPE_RAW, TYPE_HTML, TYPE_JSON, TYPE_XMLS, TYPE_XML ]): self.send_response(HTTP_OK) if compress_: self.send_header("Content-Encoding", "deflate") self.send_header("Content-Type", MIMETYPES[format_]) self.send_header("Content-Length", str(len(response_.content))) sendcookies_ = True elif (format_ != None): if (response_.lastmodified != None): if (response_.lastmodified == 0): self.send_response(HTTP_OK) self.send_header("Expires", "0") self.send_header("Pragma-Directive", "no-cache") self.send_header("Cache-Directive", "no-cache") self.send_header("Cache-Control", "no-cache") if compress_: self.send_header( "Content-Encoding", "deflate") if (format_ in MIMETYPES.keys()): self.send_header( "Content-Type", MIMETYPES[format_]) else: self.send_header( "Content-Type", format_) self.send_header("Pragma", "no-cache") else: datelastmodified_ = datetime.datetime.strptime( time.ctime(response_.lastmodified), "%a %b %d %H:%M:%S %Y") datemodified_ = datelastmodified_.strftime( "%a, %d %b %Y %H:%M:%S GMT") if (datemodified_ == modifiedsince_): self.send_response(HTTP_NOT_MODIFIED) sendcontent_ = 0 response_.content = None self.send_header( "Cache-Control", "max-age=86400, public") else: self.send_response(HTTP_OK) dateexpires_ = datetime.datetime.strptime( time.ctime(expires_), "%a %b %d %H:%M:%S %Y") self.send_header( "Expires", dateexpires_.strftime( "%a, %d %b %Y %H:%M:%S GMT")) self.send_header( "Last-Modified", datemodified_) self.send_header( "Cache-Control", "max-age=86400, public") if compress_: self.send_header( "Content-Encoding", "deflate") if (format_ in MIMETYPES.keys()): self.send_header( "Content-Type", MIMETYPES[format_]) else: self.send_header( "Content-Type", format_) self.send_header( "Pragma", response_.cachetype) else: self.send_response(HTTP_OK) self.send_header( "Cache-Control", "max-age=900, must-revalidate") if compress_: self.send_header("Content-Encoding", "deflate") if (format_ in MIMETYPES.keys()): self.send_header("Content-Type", MIMETYPES[format_]) else: self.send_header("Content-Type", format_) self.send_header("Pragma", "private") if (response_.content != None) and (sendcontent_ == 1): self.send_header("Content-Length", str(len(response_.content))) else: self.send_response(HTTP_PAGE_DOES_NOT_EXIST) self.send_header("Connection", "Close") self.end_headers() self.close_connection = 1 return if (vars_.session_id != NO_TRACK) and sendcookies_: # send recovery header for http session handling self.send_header("session_id", vars_.session_id) # OWASP Compliance # prevent TLS issues arising self.send_header( "Strict-Transport-Security", "max-age=86400; includeSubDomains") # prevent iframe abuse (only allow same origin) - options are... # ALLOW-FROM https://example.com/ # DENY # SAMEORIGIN self.send_header("X-Frame-Options", "SAMEORIGIN") # prevent Cross Site Scripting etc self.send_header("X-XSS-Protection", "1; mode=block") self.send_header("X-Content-Type-Options", "nosniff") # send cookies cookies_ = { "session_id": vars_.session_id, "device_id": vars_.device_id, "language": vars_.language } expires_ = datetime.datetime.strptime( time.ctime(now_ + TIMEOUT), "%a %b %d %H:%M:%S %Y") cookie_ = cookie() for cookiekey_ in cookies_.keys(): cookie_[cookiekey_] = cookies_[cookiekey_] cookie_[cookiekey_]["httponly"] = True # if we use a default servicename, then cookies should link to the hostname if (self.CONFIG.SERVICE_NAME == "*"): host_ = vars_.HOST cookie_[cookiekey_]["domain"] = host_ else: cookie_[cookiekey_]["domain"] = ( "." + self.CONFIG.SERVICE_NAME) cookie_[cookiekey_]["path"] = "/" cookie_[cookiekey_]["max-age"] = TIMEOUT cookie_[cookiekey_]["expires"] = expires_ cookie_[cookiekey_][ "secure"] = self.CONFIG.REQUIRE_SSL _cookieOut = cookie_[cookiekey_] self.send_header('Set-Cookie', _cookieOut.OutputString()) # send user identifier if (session_.username != None): self.send_header("X-Userid", session_.username) # send render time (for page) self.send_header("X-Time", ("%s" % (now_ - vars_.time))) if (response_.release): self.end_headers() self.returnResponse(exitcode_, response_.content, True) else: self.send_header("Connection", "Keep-alive") self.send_header("Keep-Alive", "max=5, timeout=120") self.close_connection = 0 return self.send_response(HTTP_OK) self.send_header("Content-Type", "text/html") self.send_header("Connection", "Close") self.end_headers() self.close_connection = 1
def sessionCookie(self): cookiestring = "\n".join(self.headers.get_all('Cookie', failobj=[])) c = cookie() c.load(cookiestring) self.cookie = c