From 9b7e967c7f8dc9a49e2550cd70af5cf2ca6b8a60 Mon Sep 17 00:00:00 2001
From: jpic <jamespic@gmail.com>
Date: Thu, 17 May 2012 16:54:13 +0200
Subject: [PATCH] Implemented session extension dialog, consistency cleanups

---
 README.rst                                    |  4 +-
 session_security/middleware.py                | 25 ++++--
 session_security/settings.py                  | 14 ++-
 .../templates/session_security.html           | 90 +++++++++++++++++++
 .../templates/session_security/script.js      | 10 ---
 session_security/urls.py                      | 11 +++
 session_security/views.py                     | 15 ++++
 7 files changed, 146 insertions(+), 23 deletions(-)
 create mode 100644 session_security/templates/session_security.html
 delete mode 100644 session_security/templates/session_security/script.js
 create mode 100644 session_security/urls.py
 create mode 100644 session_security/views.py

diff --git a/README.rst b/README.rst
index 464f837..3ec2a8a 100644
--- a/README.rst
+++ b/README.rst
@@ -1,2 +1,2 @@
-django-session-expiry
-=====================
\ No newline at end of file
+django-session-security
+=======================
diff --git a/session_security/middleware.py b/session_security/middleware.py
index 8962115..6fc3774 100644
--- a/session_security/middleware.py
+++ b/session_security/middleware.py
@@ -3,20 +3,27 @@
 from django import http
 from django.contrib.auth import logout
 
-from settings import LOGIN_URL, SECONDS
+from settings import LOGOUT_URL, LOGIN_URL, EXPIRE_AFTER, WARN_BEFORE
 
 class SessionSecurityMiddleware(object):
     def process_request(self, request):
+        if not request.user.is_authenticated():
+            return
+
         now = datetime.datetime.now()
-        last_activity = request.session.get('last_activity', now)
-        delta = now - last_activity
-        
-        if delta.seconds > SECONDS and request.path_info != LOGIN_URL:
+        data = request.session.get('session_security', {
+            'LOGOUT_URL': LOGOUT_URL,
+            'LOGIN_URL': LOGIN_URL,
+            'EXPIRE_AFTER': EXPIRE_AFTER,
+            'WARN_BEFORE': WARN_BEFORE,
+            'last_activity': now,
+        })
+
+        delta = now - data['last_activity']
+        if delta.seconds > EXPIRE_AFTER and request.path_info != LOGIN_URL:
             logout(request)
             return http.HttpResponseRedirect(
                 '%s?next=%s' % (LOGIN_URL, request.path_info))
    
-        request.session['last_activity'] = now
-        # javascript should have a margin of 10 for page rendering
-        request.session['session_expiry_seconds'] = SECONDS - 10
-
+        data['last_activity'] = now
+        request.session['session_security'] = data
diff --git a/session_security/settings.py b/session_security/settings.py
index 679051b..9465dbc 100644
--- a/session_security/settings.py
+++ b/session_security/settings.py
@@ -2,11 +2,21 @@
 
 from django.conf import settings
 
-__all__ = ['SECONDS', 'LOGIN_URL']
+__all__ = ['EXPIRE_AFTER', 'WARN_BEFORE', 'LOGIN_URL', 'LOGOUT_URL']
 
-SECONDS = getattr(settings, 'SESSION_EXPIRY_SECONDS', 600)
+EXPIRE_AFTER = getattr(settings, 'SESSION_SECURITY_EXPIRE_AFTER', 600)
+
+WARN_BEFORE = getattr(settings, 'SESSION_SECURITY_WARN_BEFORE', 20)
 
 LOGIN_URL = settings.LOGIN_URL
 
+LOGOUT_URL = getattr(settings, 'LOGOUT_URL', False)
+
+if not LOGOUT_URL:
+    if 'pinax.apps.account' in settings.INSTALLED_APPS:
+        LOGOUT_URL = urlresolvers.reverse('acct_logout')
+    else:
+        raise Exception('LOGOUT_URL not configured, session_security cannot work')
+
 if not getattr(settings, 'SESSION_EXPIRE_AT_BROWSER_CLOSE', False):
     warnings.warn('settings.SESSION_EXPIRE_AT_BROWSER_CLOSE is not True')
diff --git a/session_security/templates/session_security.html b/session_security/templates/session_security.html
new file mode 100644
index 0000000..97a4870
--- /dev/null
+++ b/session_security/templates/session_security.html
@@ -0,0 +1,90 @@
+{% load i18n %}
+{% load url from future %}
+
+<style type="text/css">
+/* credit: http://www.csslab.cl/2008/01/30/ventana-modal-solo-con-css/ */
+.session_security_overlay {
+    position: absolute;
+    top: 0;
+    left: 0;
+    width: 100%;
+    height: 100%;
+    background: #000;
+    z-index:1001;
+    opacity:.75;
+    -moz-opacity: 0.75;
+    filter: alpha(opacity=75);
+}
+
+.session_security_modal {
+    position: absolute;
+    top: 25%;
+    left: 25%;
+    width: 50%;
+    padding: 16px;
+    background: #fff;
+    color: #333;
+    z-index:1002;
+    overflow: auto;
+    text-align: center;
+}
+</style>
+
+<div id="session_security_warning" class="session_security" style="display:none">
+    <div class="session_security_overlay"></div>
+    <div class="session_security_modal">
+        <h3>{% trans 'Your session is about to expire' %}</h3>
+        <p>{% trans 'When your session expires, you will have to login again.' %}</p>
+        <p>{% trans 'Do you want to extend your session ?' %}</p>
+        <span class="yes">{% trans 'Yes' %}</span>
+        <span class="no">{% trans 'No' %}</span>
+    </div>
+</div>
+
+<script type="text/javascript">
+var SessionSecurity = function() {
+    this.url = '{% url 'session_security_extend_session' %}';
+
+    this.warn = function() {
+        sessionSecurity.dialog.show();
+    }
+    this.expire = function() {
+        document.location.href = sessionSecurity.LOGOUT_URL + '?next={{ request.path }}';
+    }
+
+    this.dialog = $('#session_security_warning');
+
+    this.initialize = function() {
+        this.dialog.find('.yes').click(function() {
+            sessionSecurity.dialog.hide();
+
+            clearTimeout(sessionSecurity.expireTimeout);
+            clearTimeout(sessionSecurity.warningTimeout);
+
+            $.post(sessionSecurity.url, function(data, textStatus, jqXHR) {
+                sessionSecurity.warningTimeout = setTimeout(sessionSecurity.warn,
+                    (sessionSecurity.EXPIRE_AFTER - sessionSecurity.WARN_BEFORE) * 1000);
+                sessionSecurity.expireTimeout = setTimeout(sessionSecurity.expire, 
+                    sessionSecurity.EXPIRE_AFTER * 1000);
+            });
+        });
+        
+        this.dialog.find('.no').click(function() {
+            sessionSecurity.dialog.hide();
+        });
+
+        this.warningTimeout = setTimeout(this.warn,
+            (this.EXPIRE_AFTER - this.WARN_BEFORE) * 1000);
+        this.expireTimeout = setTimeout(this.expire, this.EXPIRE_AFTER * 1000);
+    }
+}
+
+var sessionSecurity = new SessionSecurity();
+sessionSecurity = $.extend({
+    LOGIN_URL: '{{ request.session.session_security.LOGIN_URL }}',
+    LOGOUT_URL: '{{ request.session.session_security.LOGOUT_URL }}',
+    EXPIRE_AFTER: {{ request.session.session_security.EXPIRE_AFTER }},
+    WARN_BEFORE: {{ request.session.session_security.WARN_BEFORE }},
+}, sessionSecurity);
+sessionSecurity.initialize();
+</script>
diff --git a/session_security/templates/session_security/script.js b/session_security/templates/session_security/script.js
deleted file mode 100644
index 46ded62..0000000
--- a/session_security/templates/session_security/script.js
+++ /dev/null
@@ -1,10 +0,0 @@
-{% if request.user.is_authenticated %}
-    var session_expiry_seconds = {{ request.session.session_expiry_seconds }};
-    setTimeout(function() {
-        alert('You session is about to expire !');
-    }, session_expiry_seconds*1000-10*1000);
-    setTimeout(function() {
-        alert('Session expired');
-    }, session_expiry_seconds*1000);
-{% endif %}
-
diff --git a/session_security/urls.py b/session_security/urls.py
new file mode 100644
index 0000000..bfa27b1
--- /dev/null
+++ b/session_security/urls.py
@@ -0,0 +1,11 @@
+from django.conf.urls.defaults import url, patterns
+
+from views import ExtendSessionView
+
+urlpatterns = patterns('',
+    url(
+        'extend/$',
+        ExtendSessionView.as_view(),
+        name='session_security_extend_session',
+    ),
+)
diff --git a/session_security/views.py b/session_security/views.py
new file mode 100644
index 0000000..e1d50ef
--- /dev/null
+++ b/session_security/views.py
@@ -0,0 +1,15 @@
+import datetime
+
+from django.views import generic
+from django import http
+
+from settings import EXPIRE_AFTER, WARN_BEFORE
+
+class ExtendSessionView(generic.View):
+    def post(self, request, *args, **kwargs):
+        if not request.user.is_authenticated():
+            return http.HttpResponseForbidden()
+
+        now = datetime.datetime.now()
+        request.session['session_security']['last_activity'] = now
+        return http.HttpResponse()