commit | author | age
|
968209
|
1 |
import base64 |
319793
|
2 |
import binascii |
10c685
|
3 |
import hashlib |
319793
|
4 |
import hmac |
CM |
5 |
import os |
10c685
|
6 |
import time |
968209
|
7 |
|
c151ad
|
8 |
from zope.deprecation import deprecated |
3b7334
|
9 |
from zope.interface import implementer |
6af3eb
|
10 |
|
8134a7
|
11 |
from webob.cookies import SignedSerializer |
CM |
12 |
|
0c1c39
|
13 |
from pyramid.compat import ( |
CM |
14 |
pickle, |
bc37a5
|
15 |
PY2, |
0c1c39
|
16 |
text_, |
CM |
17 |
bytes_, |
|
18 |
native_, |
65dee6
|
19 |
urlparse, |
0c1c39
|
20 |
) |
CM |
21 |
|
65dee6
|
22 |
from pyramid.exceptions import ( |
DS |
23 |
BadCSRFOrigin, |
|
24 |
BadCSRFToken, |
|
25 |
) |
6af3eb
|
26 |
from pyramid.interfaces import ISession |
65dee6
|
27 |
from pyramid.settings import aslist |
DS |
28 |
from pyramid.util import ( |
|
29 |
is_same_domain, |
|
30 |
strings_differ, |
|
31 |
) |
6af3eb
|
32 |
|
968209
|
33 |
def manage_accessed(wrapped): |
4fade6
|
34 |
""" Decorator which causes a cookie to be renewed when an accessor |
MM |
35 |
method is called.""" |
968209
|
36 |
def accessed(session, *arg, **kw): |
4fade6
|
37 |
session.accessed = now = int(time.time()) |
b2dd47
|
38 |
if session._reissue_time is not None: |
MM |
39 |
if now - session.renewed > session._reissue_time: |
|
40 |
session.changed() |
968209
|
41 |
return wrapped(session, *arg, **kw) |
CM |
42 |
accessed.__doc__ = wrapped.__doc__ |
|
43 |
return accessed |
4fade6
|
44 |
|
MM |
45 |
def manage_changed(wrapped): |
|
46 |
""" Decorator which causes a cookie to be set when a setter method |
|
47 |
is called.""" |
|
48 |
def changed(session, *arg, **kw): |
|
49 |
session.accessed = int(time.time()) |
|
50 |
session.changed() |
|
51 |
return wrapped(session, *arg, **kw) |
|
52 |
changed.__doc__ = wrapped.__doc__ |
|
53 |
return changed |
968209
|
54 |
|
cf46a1
|
55 |
def signed_serialize(data, secret): |
IW |
56 |
""" Serialize any pickleable structure (``data``) and sign it |
|
57 |
using the ``secret`` (must be a string). Return the |
|
58 |
serialization, which includes the signature as its first 40 bytes. |
|
59 |
The ``signed_deserialize`` method will deserialize such a value. |
|
60 |
|
|
61 |
This function is useful for creating signed cookies. For example: |
|
62 |
|
|
63 |
.. code-block:: python |
|
64 |
|
|
65 |
cookieval = signed_serialize({'a':1}, 'secret') |
|
66 |
response.set_cookie('signed_cookie', cookieval) |
|
67 |
""" |
|
68 |
pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) |
cf026e
|
69 |
try: |
MM |
70 |
# bw-compat with pyramid <= 1.5b1 where latin1 is the default |
|
71 |
secret = bytes_(secret) |
|
72 |
except UnicodeEncodeError: |
|
73 |
secret = bytes_(secret, 'utf-8') |
|
74 |
sig = hmac.new(secret, pickled, hashlib.sha1).hexdigest() |
cf46a1
|
75 |
return sig + native_(base64.b64encode(pickled)) |
IW |
76 |
|
|
77 |
def signed_deserialize(serialized, secret, hmac=hmac): |
|
78 |
""" Deserialize the value returned from ``signed_serialize``. If |
|
79 |
the value cannot be deserialized for any reason, a |
|
80 |
:exc:`ValueError` exception will be raised. |
|
81 |
|
|
82 |
This function is useful for deserializing a signed cookie value |
|
83 |
created by ``signed_serialize``. For example: |
|
84 |
|
|
85 |
.. code-block:: python |
|
86 |
|
|
87 |
cookieval = request.cookies['signed_cookie'] |
|
88 |
data = signed_deserialize(cookieval, 'secret') |
|
89 |
""" |
|
90 |
# hmac parameterized only for unit tests |
|
91 |
try: |
4fade6
|
92 |
input_sig, pickled = (bytes_(serialized[:40]), |
cf46a1
|
93 |
base64.b64decode(bytes_(serialized[40:]))) |
IW |
94 |
except (binascii.Error, TypeError) as e: |
|
95 |
# Badly formed data can make base64 die |
|
96 |
raise ValueError('Badly formed base64 data: %s' % e) |
|
97 |
|
cf026e
|
98 |
try: |
MM |
99 |
# bw-compat with pyramid <= 1.5b1 where latin1 is the default |
|
100 |
secret = bytes_(secret) |
|
101 |
except UnicodeEncodeError: |
|
102 |
secret = bytes_(secret, 'utf-8') |
|
103 |
sig = bytes_(hmac.new(secret, pickled, hashlib.sha1).hexdigest()) |
cf46a1
|
104 |
|
IW |
105 |
# Avoid timing attacks (see |
|
106 |
# http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf) |
|
107 |
if strings_differ(sig, input_sig): |
|
108 |
raise ValueError('Invalid signature') |
|
109 |
|
|
110 |
return pickle.loads(pickled) |
|
111 |
|
65dee6
|
112 |
def check_csrf_origin(request, trusted_origins=None, raises=True): |
DS |
113 |
""" |
|
114 |
Check the Origin of the request to see if it is a cross site request or |
|
115 |
not. |
|
116 |
|
|
117 |
If the value supplied by the Origin or Referer header isn't one of the |
|
118 |
trusted origins and ``raises`` is ``True``, this function will raise a |
|
119 |
:exc:`pyramid.exceptions.BadCSRFOrigin` exception but if ``raises`` is |
|
120 |
``False`` this function will return ``False`` instead. If the CSRF origin |
|
121 |
checks are successful this function will return ``True`` unconditionally. |
|
122 |
|
|
123 |
Additional trusted origins may be added by passing a list of domain (and |
|
124 |
ports if nonstandard like `['example.com', 'dev.example.com:8080']`) in |
|
125 |
with the ``trusted_origins`` parameter. If ``trusted_origins`` is ``None`` |
|
126 |
(the default) this list of additional domains will be pulled from the |
|
127 |
``pyramid.csrf_trusted_origins`` setting. |
|
128 |
|
|
129 |
Note that this function will do nothing if request.scheme is not https. |
|
130 |
|
|
131 |
.. versionadded:: 1.7 |
|
132 |
""" |
|
133 |
def _fail(reason): |
|
134 |
if raises: |
|
135 |
raise BadCSRFOrigin(reason) |
|
136 |
else: |
|
137 |
return False |
|
138 |
|
|
139 |
if request.scheme == "https": |
|
140 |
# Suppose user visits http://example.com/ |
|
141 |
# An active network attacker (man-in-the-middle, MITM) sends a |
|
142 |
# POST form that targets https://example.com/detonate-bomb/ and |
|
143 |
# submits it via JavaScript. |
|
144 |
# |
|
145 |
# The attacker will need to provide a CSRF cookie and token, but |
|
146 |
# that's no problem for a MITM when we cannot make any assumptions |
|
147 |
# about what kind of session storage is being used. So the MITM can |
|
148 |
# circumvent the CSRF protection. This is true for any HTTP connection, |
|
149 |
# but anyone using HTTPS expects better! For this reason, for |
|
150 |
# https://example.com/ we need additional protection that treats |
|
151 |
# http://example.com/ as completely untrusted. Under HTTPS, |
|
152 |
# Barth et al. found that the Referer header is missing for |
|
153 |
# same-domain requests in only about 0.2% of cases or less, so |
|
154 |
# we can use strict Referer checking. |
|
155 |
|
|
156 |
# Determine the origin of this request |
|
157 |
origin = request.headers.get("Origin") |
|
158 |
if origin is None: |
|
159 |
origin = request.referrer |
|
160 |
|
|
161 |
# Fail if we were not able to locate an origin at all |
|
162 |
if not origin: |
|
163 |
return _fail("Origin checking failed - no Origin or Referer.") |
|
164 |
|
|
165 |
# Parse our origin so we we can extract the required information from |
|
166 |
# it. |
|
167 |
originp = urlparse.urlparse(origin) |
|
168 |
|
|
169 |
# Ensure that our Referer is also secure. |
|
170 |
if originp.scheme != "https": |
|
171 |
return _fail( |
|
172 |
"Referer checking failed - Referer is insecure while host is " |
|
173 |
"secure." |
|
174 |
) |
|
175 |
|
|
176 |
# Determine which origins we trust, which by default will include the |
|
177 |
# current origin. |
|
178 |
if trusted_origins is None: |
|
179 |
trusted_origins = aslist( |
|
180 |
request.registry.settings.get( |
|
181 |
"pyramid.csrf_trusted_origins", []) |
|
182 |
) |
|
183 |
|
884043
|
184 |
if request.host_port not in set(["80", "443"]): |
65dee6
|
185 |
trusted_origins.append("{0.domain}:{0.host_port}".format(request)) |
DS |
186 |
else: |
|
187 |
trusted_origins.append(request.domain) |
|
188 |
|
|
189 |
# Actually check to see if the request's origin matches any of our |
|
190 |
# trusted origins. |
|
191 |
if not any(is_same_domain(originp.netloc, host) |
|
192 |
for host in trusted_origins): |
|
193 |
reason = ( |
dd45cf
|
194 |
"Referer checking failed - {0} does not match any trusted " |
65dee6
|
195 |
"origins." |
DS |
196 |
) |
|
197 |
return _fail(reason.format(origin)) |
|
198 |
|
|
199 |
return True |
|
200 |
|
|
201 |
|
bfe654
|
202 |
def check_csrf_token(request, |
LC |
203 |
token='csrf_token', |
ea93cf
|
204 |
header='X-CSRF-Token', |
bfe654
|
205 |
raises=True): |
68c00d
|
206 |
""" Check the CSRF token in the request's session against the value in |
f12005
|
207 |
``request.POST.get(token)`` (if a POST request) or |
DS |
208 |
``request.headers.get(header)``. If a ``token`` keyword is not supplied to |
|
209 |
this function, the string ``csrf_token`` will be used to look up the token |
|
210 |
in ``request.POST``. If a ``header`` keyword is not supplied to this |
|
211 |
function, the string ``X-CSRF-Token`` will be used to look up the token in |
|
212 |
``request.headers``. |
bfe654
|
213 |
|
f12005
|
214 |
If the value supplied by post or by header doesn't match the value |
bfe654
|
215 |
supplied by ``request.session.get_csrf_token()``, and ``raises`` is |
LC |
216 |
``True``, this function will raise an |
0e2914
|
217 |
:exc:`pyramid.exceptions.BadCSRFToken` exception. |
b13b1c
|
218 |
If the values differ and ``raises`` is ``False``, this function will |
MM |
219 |
return ``False``. If the CSRF check is successful, this function will |
|
220 |
return ``True`` unconditionally. |
643a83
|
221 |
|
CM |
222 |
Note that using this function requires that a :term:`session factory` is |
|
223 |
configured. |
68c00d
|
224 |
|
769da1
|
225 |
See :ref:`auto_csrf_checking` for information about how to secure your |
MM |
226 |
application automatically against CSRF attacks. |
|
227 |
|
68c00d
|
228 |
.. versionadded:: 1.4a2 |
8ceb14
|
229 |
|
MM |
230 |
.. versionchanged:: 1.7a1 |
|
231 |
A CSRF token passed in the query string of the request is no longer |
|
232 |
considered valid. It must be passed in either the request body or |
|
233 |
a header. |
68c00d
|
234 |
""" |
de3d0c
|
235 |
supplied_token = "" |
f12005
|
236 |
# If this is a POST/PUT/etc request, then we'll check the body to see if it |
DS |
237 |
# has a token. We explicitly use request.POST here because CSRF tokens |
|
238 |
# should never appear in an URL as doing so is a security issue. We also |
|
239 |
# explicitly check for request.POST here as we do not support sending form |
|
240 |
# encoded data over anything but a request.POST. |
de3d0c
|
241 |
if token is not None: |
MM |
242 |
supplied_token = request.POST.get(token, "") |
f12005
|
243 |
|
DS |
244 |
# If we were unable to locate a CSRF token in a request body, then we'll |
|
245 |
# check to see if there are any headers that have a value for us. |
de3d0c
|
246 |
if supplied_token == "" and header is not None: |
f12005
|
247 |
supplied_token = request.headers.get(header, "") |
DS |
248 |
|
f16a1b
|
249 |
expected_token = request.session.get_csrf_token() |
MM |
250 |
if strings_differ(bytes_(expected_token), bytes_(supplied_token)): |
643a83
|
251 |
if raises: |
0e2914
|
252 |
raise BadCSRFToken('check_csrf_token(): Invalid token') |
643a83
|
253 |
return False |
68c00d
|
254 |
return True |
CM |
255 |
|
8134a7
|
256 |
class PickleSerializer(object): |
ee9c62
|
257 |
""" A serializer that uses the pickle protocol to dump Python |
MM |
258 |
data to bytes. |
|
259 |
|
|
260 |
This is the default serializer used by Pyramid. |
|
261 |
|
|
262 |
``protocol`` may be specified to control the version of pickle used. |
|
263 |
Defaults to :attr:`pickle.HIGHEST_PROTOCOL`. |
|
264 |
|
|
265 |
""" |
|
266 |
def __init__(self, protocol=pickle.HIGHEST_PROTOCOL): |
|
267 |
self.protocol = protocol |
|
268 |
|
8134a7
|
269 |
def loads(self, bstruct): |
ee9c62
|
270 |
"""Accept bytes and return a Python object.""" |
8134a7
|
271 |
return pickle.loads(bstruct) |
CM |
272 |
|
|
273 |
def dumps(self, appstruct): |
ee9c62
|
274 |
"""Accept a Python object and return bytes.""" |
MM |
275 |
return pickle.dumps(appstruct, self.protocol) |
8134a7
|
276 |
|
4fade6
|
277 |
def BaseCookieSessionFactory( |
8134a7
|
278 |
serializer, |
4fade6
|
279 |
cookie_name='session', |
MM |
280 |
max_age=None, |
|
281 |
path='/', |
|
282 |
domain=None, |
|
283 |
secure=False, |
|
284 |
httponly=False, |
|
285 |
timeout=1200, |
|
286 |
reissue_time=0, |
|
287 |
set_on_exception=True, |
|
288 |
): |
|
289 |
""" |
9536f9
|
290 |
.. versionadded:: 1.5 |
f65375
|
291 |
|
4fade6
|
292 |
Configure a :term:`session factory` which will provide cookie-based |
9536f9
|
293 |
sessions. The return value of this function is a :term:`session factory`, |
CM |
294 |
which may be provided as the ``session_factory`` argument of a |
|
295 |
:class:`pyramid.config.Configurator` constructor, or used as the |
|
296 |
``session_factory`` argument of the |
4fade6
|
297 |
:meth:`pyramid.config.Configurator.set_session_factory` method. |
MM |
298 |
|
|
299 |
The session factory returned by this function will create sessions |
|
300 |
which are limited to storing fewer than 4000 bytes of data (as the |
|
301 |
payload must fit into a single cookie). |
|
302 |
|
|
303 |
.. warning: |
|
304 |
|
|
305 |
This class provides no protection from tampering and is only intended |
|
306 |
to be used by framework authors to create their own cookie-based |
|
307 |
session factories. |
|
308 |
|
|
309 |
Parameters: |
|
310 |
|
8134a7
|
311 |
``serializer`` |
1098ac
|
312 |
An object with two methods: ``loads`` and ``dumps``. The ``loads`` |
MM |
313 |
method should accept bytes and return a Python object. The ``dumps`` |
|
314 |
method should accept a Python object and return bytes. A ``ValueError`` |
|
315 |
should be raised for malformed inputs. |
4fade6
|
316 |
|
MM |
317 |
``cookie_name`` |
|
318 |
The name of the cookie used for sessioning. Default: ``'session'``. |
|
319 |
|
|
320 |
``max_age`` |
|
321 |
The maximum age of the cookie used for sessioning (in seconds). |
|
322 |
Default: ``None`` (browser scope). |
|
323 |
|
|
324 |
``path`` |
|
325 |
The path used for the session cookie. Default: ``'/'``. |
|
326 |
|
|
327 |
``domain`` |
|
328 |
The domain used for the session cookie. Default: ``None`` (no domain). |
|
329 |
|
|
330 |
``secure`` |
|
331 |
The 'secure' flag of the session cookie. Default: ``False``. |
|
332 |
|
|
333 |
``httponly`` |
|
334 |
Hide the cookie from Javascript by setting the 'HttpOnly' flag of the |
|
335 |
session cookie. Default: ``False``. |
|
336 |
|
|
337 |
``timeout`` |
|
338 |
A number of seconds of inactivity before a session times out. If |
89dc46
|
339 |
``None`` then the cookie never expires. This lifetime only applies |
MM |
340 |
to the *value* within the cookie. Meaning that if the cookie expires |
|
341 |
due to a lower ``max_age``, then this setting has no effect. |
|
342 |
Default: ``1200``. |
4fade6
|
343 |
|
MM |
344 |
``reissue_time`` |
|
345 |
The number of seconds that must pass before the cookie is automatically |
|
346 |
reissued as the result of a request which accesses the session. The |
|
347 |
duration is measured as the number of seconds since the last session |
|
348 |
cookie was issued and 'now'. If this value is ``0``, a new cookie |
89dc46
|
349 |
will be reissued on every request accessing the session. If ``None`` |
4fade6
|
350 |
then the cookie's lifetime will never be extended. |
MM |
351 |
|
|
352 |
A good rule of thumb: if you want auto-expired cookies based on |
|
353 |
inactivity: set the ``timeout`` value to 1200 (20 mins) and set the |
|
354 |
``reissue_time`` value to perhaps a tenth of the ``timeout`` value |
|
355 |
(120 or 2 mins). It's nonsensical to set the ``timeout`` value lower |
|
356 |
than the ``reissue_time`` value, as the ticket will never be reissued. |
|
357 |
However, such a configuration is not explicitly prevented. |
|
358 |
|
|
359 |
Default: ``0``. |
|
360 |
|
|
361 |
``set_on_exception`` |
|
362 |
If ``True``, set a session cookie even if an exception occurs |
|
363 |
while rendering a view. Default: ``True``. |
|
364 |
|
|
365 |
.. versionadded: 1.5a3 |
|
366 |
""" |
|
367 |
|
|
368 |
@implementer(ISession) |
|
369 |
class CookieSession(dict): |
|
370 |
""" Dictionary-like session object """ |
|
371 |
|
|
372 |
# configuration parameters |
|
373 |
_cookie_name = cookie_name |
fa7886
|
374 |
_cookie_max_age = max_age if max_age is None else int(max_age) |
4fade6
|
375 |
_cookie_path = path |
MM |
376 |
_cookie_domain = domain |
|
377 |
_cookie_secure = secure |
|
378 |
_cookie_httponly = httponly |
|
379 |
_cookie_on_exception = set_on_exception |
67ff3b
|
380 |
_timeout = timeout if timeout is None else int(timeout) |
a43abd
|
381 |
_reissue_time = reissue_time if reissue_time is None else int(reissue_time) |
4fade6
|
382 |
|
MM |
383 |
# dirty flag |
|
384 |
_dirty = False |
|
385 |
|
|
386 |
def __init__(self, request): |
|
387 |
self.request = request |
|
388 |
now = time.time() |
|
389 |
created = renewed = now |
|
390 |
new = True |
|
391 |
value = None |
|
392 |
state = {} |
|
393 |
cookieval = request.cookies.get(self._cookie_name) |
|
394 |
if cookieval is not None: |
|
395 |
try: |
8134a7
|
396 |
value = serializer.loads(bytes_(cookieval)) |
4fade6
|
397 |
except ValueError: |
b0b09c
|
398 |
# the cookie failed to deserialize, dropped |
4fade6
|
399 |
value = None |
MM |
400 |
|
|
401 |
if value is not None: |
|
402 |
try: |
8f4fbd
|
403 |
# since the value is not necessarily signed, we have |
MM |
404 |
# to unpack it a little carefully |
|
405 |
rval, cval, sval = value |
|
406 |
renewed = float(rval) |
|
407 |
created = float(cval) |
|
408 |
state = sval |
4fade6
|
409 |
new = False |
8f4fbd
|
410 |
except (TypeError, ValueError): |
b0b09c
|
411 |
# value failed to unpack properly or renewed was not |
MM |
412 |
# a numeric type so we'll fail deserialization here |
4fade6
|
413 |
state = {} |
MM |
414 |
|
8f4fbd
|
415 |
if self._timeout is not None: |
MM |
416 |
if now - renewed > self._timeout: |
|
417 |
# expire the session because it was not renewed |
|
418 |
# before the timeout threshold |
4fade6
|
419 |
state = {} |
MM |
420 |
|
|
421 |
self.created = created |
|
422 |
self.accessed = renewed |
|
423 |
self.renewed = renewed |
|
424 |
self.new = new |
|
425 |
dict.__init__(self, state) |
|
426 |
|
|
427 |
# ISession methods |
|
428 |
def changed(self): |
|
429 |
if not self._dirty: |
|
430 |
self._dirty = True |
|
431 |
def set_cookie_callback(request, response): |
|
432 |
self._set_cookie(response) |
|
433 |
self.request = None # explicitly break cycle for gc |
|
434 |
self.request.add_response_callback(set_cookie_callback) |
|
435 |
|
|
436 |
def invalidate(self): |
|
437 |
self.clear() # XXX probably needs to unset cookie |
|
438 |
|
|
439 |
# non-modifying dictionary methods |
|
440 |
get = manage_accessed(dict.get) |
|
441 |
__getitem__ = manage_accessed(dict.__getitem__) |
|
442 |
items = manage_accessed(dict.items) |
|
443 |
values = manage_accessed(dict.values) |
|
444 |
keys = manage_accessed(dict.keys) |
|
445 |
__contains__ = manage_accessed(dict.__contains__) |
|
446 |
__len__ = manage_accessed(dict.__len__) |
|
447 |
__iter__ = manage_accessed(dict.__iter__) |
|
448 |
|
bc37a5
|
449 |
if PY2: |
4fade6
|
450 |
iteritems = manage_accessed(dict.iteritems) |
MM |
451 |
itervalues = manage_accessed(dict.itervalues) |
|
452 |
iterkeys = manage_accessed(dict.iterkeys) |
|
453 |
has_key = manage_accessed(dict.has_key) |
|
454 |
|
|
455 |
# modifying dictionary methods |
|
456 |
clear = manage_changed(dict.clear) |
|
457 |
update = manage_changed(dict.update) |
|
458 |
setdefault = manage_changed(dict.setdefault) |
|
459 |
pop = manage_changed(dict.pop) |
|
460 |
popitem = manage_changed(dict.popitem) |
|
461 |
__setitem__ = manage_changed(dict.__setitem__) |
|
462 |
__delitem__ = manage_changed(dict.__delitem__) |
|
463 |
|
|
464 |
# flash API methods |
|
465 |
@manage_changed |
|
466 |
def flash(self, msg, queue='', allow_duplicate=True): |
|
467 |
storage = self.setdefault('_f_' + queue, []) |
|
468 |
if allow_duplicate or (msg not in storage): |
|
469 |
storage.append(msg) |
|
470 |
|
|
471 |
@manage_changed |
|
472 |
def pop_flash(self, queue=''): |
|
473 |
storage = self.pop('_f_' + queue, []) |
|
474 |
return storage |
|
475 |
|
|
476 |
@manage_accessed |
|
477 |
def peek_flash(self, queue=''): |
|
478 |
storage = self.get('_f_' + queue, []) |
|
479 |
return storage |
|
480 |
|
|
481 |
# CSRF API methods |
|
482 |
@manage_changed |
|
483 |
def new_csrf_token(self): |
|
484 |
token = text_(binascii.hexlify(os.urandom(20))) |
|
485 |
self['_csrft_'] = token |
|
486 |
return token |
|
487 |
|
|
488 |
@manage_accessed |
|
489 |
def get_csrf_token(self): |
|
490 |
token = self.get('_csrft_', None) |
|
491 |
if token is None: |
|
492 |
token = self.new_csrf_token() |
|
493 |
return token |
|
494 |
|
|
495 |
# non-API methods |
|
496 |
def _set_cookie(self, response): |
|
497 |
if not self._cookie_on_exception: |
|
498 |
exception = getattr(self.request, 'exception', None) |
|
499 |
if exception is not None: # dont set a cookie during exceptions |
|
500 |
return False |
8134a7
|
501 |
cookieval = native_(serializer.dumps( |
4fade6
|
502 |
(self.accessed, self.created, dict(self)) |
MM |
503 |
)) |
|
504 |
if len(cookieval) > 4064: |
|
505 |
raise ValueError( |
|
506 |
'Cookie value is too long to store (%s bytes)' % |
|
507 |
len(cookieval) |
|
508 |
) |
|
509 |
response.set_cookie( |
|
510 |
self._cookie_name, |
|
511 |
value=cookieval, |
|
512 |
max_age=self._cookie_max_age, |
|
513 |
path=self._cookie_path, |
|
514 |
domain=self._cookie_domain, |
|
515 |
secure=self._cookie_secure, |
|
516 |
httponly=self._cookie_httponly, |
|
517 |
) |
|
518 |
return True |
|
519 |
|
|
520 |
return CookieSession |
968209
|
521 |
|
c151ad
|
522 |
|
MM |
523 |
def UnencryptedCookieSessionFactoryConfig( |
|
524 |
secret, |
|
525 |
timeout=1200, |
|
526 |
cookie_name='session', |
|
527 |
cookie_max_age=None, |
|
528 |
cookie_path='/', |
|
529 |
cookie_domain=None, |
|
530 |
cookie_secure=False, |
|
531 |
cookie_httponly=False, |
|
532 |
cookie_on_exception=True, |
|
533 |
signed_serialize=signed_serialize, |
|
534 |
signed_deserialize=signed_deserialize, |
|
535 |
): |
|
536 |
""" |
|
537 |
.. deprecated:: 1.5 |
|
538 |
Use :func:`pyramid.session.SignedCookieSessionFactory` instead. |
|
539 |
Caveat: Cookies generated using ``SignedCookieSessionFactory`` are not |
|
540 |
compatible with cookies generated using |
|
541 |
``UnencryptedCookieSessionFactory``, so existing user session data |
|
542 |
will be destroyed if you switch to it. |
f65375
|
543 |
|
c151ad
|
544 |
Configure a :term:`session factory` which will provide unencrypted |
MM |
545 |
(but signed) cookie-based sessions. The return value of this |
|
546 |
function is a :term:`session factory`, which may be provided as |
|
547 |
the ``session_factory`` argument of a |
|
548 |
:class:`pyramid.config.Configurator` constructor, or used |
|
549 |
as the ``session_factory`` argument of the |
|
550 |
:meth:`pyramid.config.Configurator.set_session_factory` |
|
551 |
method. |
|
552 |
|
|
553 |
The session factory returned by this function will create sessions |
|
554 |
which are limited to storing fewer than 4000 bytes of data (as the |
|
555 |
payload must fit into a single cookie). |
|
556 |
|
|
557 |
Parameters: |
|
558 |
|
|
559 |
``secret`` |
|
560 |
A string which is used to sign the cookie. |
|
561 |
|
|
562 |
``timeout`` |
|
563 |
A number of seconds of inactivity before a session times out. |
|
564 |
|
|
565 |
``cookie_name`` |
|
566 |
The name of the cookie used for sessioning. |
|
567 |
|
|
568 |
``cookie_max_age`` |
|
569 |
The maximum age of the cookie used for sessioning (in seconds). |
|
570 |
Default: ``None`` (browser scope). |
|
571 |
|
|
572 |
``cookie_path`` |
|
573 |
The path used for the session cookie. |
|
574 |
|
|
575 |
``cookie_domain`` |
|
576 |
The domain used for the session cookie. Default: ``None`` (no domain). |
|
577 |
|
|
578 |
``cookie_secure`` |
|
579 |
The 'secure' flag of the session cookie. |
|
580 |
|
|
581 |
``cookie_httponly`` |
|
582 |
The 'httpOnly' flag of the session cookie. |
|
583 |
|
|
584 |
``cookie_on_exception`` |
|
585 |
If ``True``, set a session cookie even if an exception occurs |
|
586 |
while rendering a view. |
|
587 |
|
|
588 |
``signed_serialize`` |
|
589 |
A callable which takes more or less arbitrary Python data structure and |
|
590 |
a secret and returns a signed serialization in bytes. |
|
591 |
Default: ``signed_serialize`` (using pickle). |
|
592 |
|
|
593 |
``signed_deserialize`` |
|
594 |
A callable which takes a signed and serialized data structure in bytes |
|
595 |
and a secret and returns the original data structure if the signature |
|
596 |
is valid. Default: ``signed_deserialize`` (using pickle). |
|
597 |
""" |
|
598 |
|
|
599 |
class SerializerWrapper(object): |
|
600 |
def __init__(self, secret): |
|
601 |
self.secret = secret |
f65375
|
602 |
|
c151ad
|
603 |
def loads(self, bstruct): |
MM |
604 |
return signed_deserialize(bstruct, secret) |
|
605 |
|
|
606 |
def dumps(self, appstruct): |
|
607 |
return signed_serialize(appstruct, secret) |
|
608 |
|
|
609 |
serializer = SerializerWrapper(secret) |
|
610 |
|
|
611 |
return BaseCookieSessionFactory( |
|
612 |
serializer, |
|
613 |
cookie_name=cookie_name, |
|
614 |
max_age=cookie_max_age, |
|
615 |
path=cookie_path, |
|
616 |
domain=cookie_domain, |
|
617 |
secure=cookie_secure, |
|
618 |
httponly=cookie_httponly, |
|
619 |
timeout=timeout, |
|
620 |
reissue_time=0, # to keep session.accessed == session.renewed |
|
621 |
set_on_exception=cookie_on_exception, |
|
622 |
) |
|
623 |
|
|
624 |
deprecated( |
|
625 |
'UnencryptedCookieSessionFactoryConfig', |
|
626 |
'The UnencryptedCookieSessionFactoryConfig callable is deprecated as of ' |
|
627 |
'Pyramid 1.5. Use ``pyramid.session.SignedCookieSessionFactory`` instead.' |
|
628 |
' Caveat: Cookies generated using SignedCookieSessionFactory are not ' |
|
629 |
'compatible with cookies generated using UnencryptedCookieSessionFactory, ' |
|
630 |
'so existing user session data will be destroyed if you switch to it.' |
|
631 |
) |
|
632 |
|
3a6cbc
|
633 |
def SignedCookieSessionFactory( |
MM |
634 |
secret, |
|
635 |
cookie_name='session', |
4fade6
|
636 |
max_age=None, |
MM |
637 |
path='/', |
|
638 |
domain=None, |
|
639 |
secure=False, |
|
640 |
httponly=False, |
|
641 |
set_on_exception=True, |
|
642 |
timeout=1200, |
|
643 |
reissue_time=0, |
|
644 |
hashalg='sha512', |
b0b09c
|
645 |
salt='pyramid.session.', |
8134a7
|
646 |
serializer=None, |
3a6cbc
|
647 |
): |
MM |
648 |
""" |
9536f9
|
649 |
.. versionadded:: 1.5 |
f65375
|
650 |
|
3a6cbc
|
651 |
Configure a :term:`session factory` which will provide signed |
MM |
652 |
cookie-based sessions. The return value of this |
|
653 |
function is a :term:`session factory`, which may be provided as |
|
654 |
the ``session_factory`` argument of a |
|
655 |
:class:`pyramid.config.Configurator` constructor, or used |
|
656 |
as the ``session_factory`` argument of the |
|
657 |
:meth:`pyramid.config.Configurator.set_session_factory` |
|
658 |
method. |
968209
|
659 |
|
3a6cbc
|
660 |
The session factory returned by this function will create sessions |
MM |
661 |
which are limited to storing fewer than 4000 bytes of data (as the |
|
662 |
payload must fit into a single cookie). |
815955
|
663 |
|
3a6cbc
|
664 |
Parameters: |
968209
|
665 |
|
3a6cbc
|
666 |
``secret`` |
b0b09c
|
667 |
A string which is used to sign the cookie. The secret should be at |
MM |
668 |
least as long as the block size of the selected hash algorithm. For |
f65375
|
669 |
``sha512`` this would mean a 512 bit (64 character) secret. It should |
e521f1
|
670 |
be unique within the set of secret values provided to Pyramid for |
CM |
671 |
its various subsystems (see :ref:`admonishment_against_secret_sharing`). |
968209
|
672 |
|
3a6cbc
|
673 |
``hashalg`` |
MM |
674 |
The HMAC digest algorithm to use for signing. The algorithm must be |
|
675 |
supported by the :mod:`hashlib` library. Default: ``'sha512'``. |
968209
|
676 |
|
b0b09c
|
677 |
``salt`` |
MM |
678 |
A namespace to avoid collisions between different uses of a shared |
|
679 |
secret. Reusing a secret for different parts of an application is |
2dea18
|
680 |
strongly discouraged (see :ref:`admonishment_against_secret_sharing`). |
7c756b
|
681 |
Default: ``'pyramid.session.'``. |
968209
|
682 |
|
3a6cbc
|
683 |
``cookie_name`` |
MM |
684 |
The name of the cookie used for sessioning. Default: ``'session'``. |
968209
|
685 |
|
4fade6
|
686 |
``max_age`` |
3a6cbc
|
687 |
The maximum age of the cookie used for sessioning (in seconds). |
MM |
688 |
Default: ``None`` (browser scope). |
475532
|
689 |
|
4fade6
|
690 |
``path`` |
3a6cbc
|
691 |
The path used for the session cookie. Default: ``'/'``. |
968209
|
692 |
|
4fade6
|
693 |
``domain`` |
3a6cbc
|
694 |
The domain used for the session cookie. Default: ``None`` (no domain). |
4df636
|
695 |
|
4fade6
|
696 |
``secure`` |
3a6cbc
|
697 |
The 'secure' flag of the session cookie. Default: ``False``. |
6f6d36
|
698 |
|
4fade6
|
699 |
``httponly`` |
MM |
700 |
Hide the cookie from Javascript by setting the 'HttpOnly' flag of the |
|
701 |
session cookie. Default: ``False``. |
4df636
|
702 |
|
4fade6
|
703 |
``timeout`` |
MM |
704 |
A number of seconds of inactivity before a session times out. If |
89dc46
|
705 |
``None`` then the cookie never expires. This lifetime only applies |
MM |
706 |
to the *value* within the cookie. Meaning that if the cookie expires |
|
707 |
due to a lower ``max_age``, then this setting has no effect. |
|
708 |
Default: ``1200``. |
319793
|
709 |
|
4fade6
|
710 |
``reissue_time`` |
MM |
711 |
The number of seconds that must pass before the cookie is automatically |
89dc46
|
712 |
reissued as the result of accessing the session. The |
4fade6
|
713 |
duration is measured as the number of seconds since the last session |
MM |
714 |
cookie was issued and 'now'. If this value is ``0``, a new cookie |
89dc46
|
715 |
will be reissued on every request accessing the session. If ``None`` |
4fade6
|
716 |
then the cookie's lifetime will never be extended. |
319793
|
717 |
|
4fade6
|
718 |
A good rule of thumb: if you want auto-expired cookies based on |
MM |
719 |
inactivity: set the ``timeout`` value to 1200 (20 mins) and set the |
|
720 |
``reissue_time`` value to perhaps a tenth of the ``timeout`` value |
|
721 |
(120 or 2 mins). It's nonsensical to set the ``timeout`` value lower |
|
722 |
than the ``reissue_time`` value, as the ticket will never be reissued. |
|
723 |
However, such a configuration is not explicitly prevented. |
968209
|
724 |
|
4fade6
|
725 |
Default: ``0``. |
MM |
726 |
|
|
727 |
``set_on_exception`` |
3a6cbc
|
728 |
If ``True``, set a session cookie even if an exception occurs |
MM |
729 |
while rendering a view. Default: ``True``. |
|
730 |
|
8134a7
|
731 |
``serializer`` |
1098ac
|
732 |
An object with two methods: ``loads`` and ``dumps``. The ``loads`` |
MM |
733 |
method should accept bytes and return a Python object. The ``dumps`` |
|
734 |
method should accept a Python object and return bytes. A ``ValueError`` |
|
735 |
should be raised for malformed inputs. If a serializer is not passed, |
|
736 |
the :class:`pyramid.session.PickleSerializer` serializer will be used. |
4fade6
|
737 |
|
MM |
738 |
.. versionadded: 1.5a3 |
3a6cbc
|
739 |
""" |
8134a7
|
740 |
if serializer is None: |
CM |
741 |
serializer = PickleSerializer() |
3a6cbc
|
742 |
|
8134a7
|
743 |
signed_serializer = SignedSerializer( |
CM |
744 |
secret, |
1098ac
|
745 |
salt, |
8134a7
|
746 |
hashalg, |
CM |
747 |
serializer=serializer, |
|
748 |
) |
3a6cbc
|
749 |
|
4fade6
|
750 |
return BaseCookieSessionFactory( |
8134a7
|
751 |
signed_serializer, |
3a6cbc
|
752 |
cookie_name=cookie_name, |
4fade6
|
753 |
max_age=max_age, |
MM |
754 |
path=path, |
|
755 |
domain=domain, |
|
756 |
secure=secure, |
|
757 |
httponly=httponly, |
|
758 |
timeout=timeout, |
|
759 |
reissue_time=reissue_time, |
|
760 |
set_on_exception=set_on_exception, |
3a6cbc
|
761 |
) |