Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed a subtle corner case whereby sending a bad session ID generates…

… new (unused) session entries in the database table.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@7001 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 041e24dbde48a38e539f85c378842849f7dc00a1 1 parent 70fe1ef
Malcolm Tredinnick malcolmt authored
16 django/contrib/sessions/backends/db.py
View
@@ -10,40 +10,42 @@ class SessionStore(SessionBase):
"""
def __init__(self, session_key=None):
super(SessionStore, self).__init__(session_key)
-
+
def load(self):
try:
s = Session.objects.get(
- session_key = self.session_key,
+ session_key = self.session_key,
expire_date__gt=datetime.datetime.now()
)
return self.decode(s.session_data)
except (Session.DoesNotExist, SuspiciousOperation):
-
+
# Create a new session_key for extra security.
self.session_key = self._get_new_session_key()
self._session_cache = {}
# Save immediately to minimize collision
self.save()
+ # Ensure the user is notified via a new cookie.
+ self.modified = True
return {}
-
+
def exists(self, session_key):
try:
Session.objects.get(session_key=session_key)
except Session.DoesNotExist:
return False
return True
-
+
def save(self):
Session.objects.create(
session_key = self.session_key,
session_data = self.encode(self._session),
expire_date = datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE)
)
-
+
def delete(self, session_key):
try:
Session.objects.get(session_key=session_key).delete()
except Session.DoesNotExist:
- pass
+ pass
20 django/contrib/sessions/backends/file.py
View
@@ -10,31 +10,31 @@ class SessionStore(SessionBase):
"""
def __init__(self, session_key=None):
self.storage_path = getattr(settings, "SESSION_FILE_PATH", tempfile.gettempdir())
-
+
# Make sure the storage path is valid.
if not os.path.isdir(self.storage_path):
raise ImproperlyConfigured("The session storage path %r doesn't exist. "\
"Please set your SESSION_FILE_PATH setting "\
"to an existing directory in which Django "\
"can store session data." % self.storage_path)
-
- self.file_prefix = settings.SESSION_COOKIE_NAME
+
+ self.file_prefix = settings.SESSION_COOKIE_NAME
super(SessionStore, self).__init__(session_key)
-
+
def _key_to_file(self, session_key=None):
"""
Get the file associated with this session key.
"""
if session_key is None:
session_key = self.session_key
-
+
# Make sure we're not vulnerable to directory traversal. Session keys
# should always be md5s, so they should never contain directory components.
if os.path.sep in session_key:
raise SuspiciousOperation("Invalid characters (directory components) in session key")
-
+
return os.path.join(self.storage_path, self.file_prefix + session_key)
-
+
def load(self):
session_data = {}
try:
@@ -46,6 +46,8 @@ def load(self):
self._session_key = self._get_new_session_key()
self._session_cache = {}
self.save()
+ # Ensure the user is notified via a new cookie.
+ self.modified = True
finally:
session_file.close()
except(IOError):
@@ -66,12 +68,12 @@ def exists(self, session_key):
if os.path.exists(self._key_to_file(session_key)):
return True
return False
-
+
def delete(self, session_key):
try:
os.unlink(self._key_to_file(session_key))
except OSError:
pass
-
+
def clean(self):
pass
Please sign in to comment.
Something went wrong with that request. Please try again.