opensecurity: OpenSecurity/install/web.py-0.37/build/lib/web/session.py@65432e6c6042 (annotated)

om@3	1	"""
om@3	2	Session Management
om@3	3	(from web.py)
om@3	4	"""
om@3	5
om@3	6	import os, time, datetime, random, base64
om@3	7	import os.path
om@3	8	from copy import deepcopy
om@3	9	try:
om@3	10	import cPickle as pickle
om@3	11	except ImportError:
om@3	12	import pickle
om@3	13	try:
om@3	14	import hashlib
om@3	15	sha1 = hashlib.sha1
om@3	16	except ImportError:
om@3	17	import sha
om@3	18	sha1 = sha.new
om@3	19
om@3	20	import utils
om@3	21	import webapi as web
om@3	22
om@3	23	__all__ = [
om@3	24	'Session', 'SessionExpired',
om@3	25	'Store', 'DiskStore', 'DBStore',
om@3	26	]
om@3	27
om@3	28	web.config.session_parameters = utils.storage({
om@3	29	'cookie_name': 'webpy_session_id',
om@3	30	'cookie_domain': None,
om@3	31	'cookie_path' : None,
om@3	32	'timeout': 86400, #24 * 60 * 60, # 24 hours in seconds
om@3	33	'ignore_expiry': True,
om@3	34	'ignore_change_ip': True,
om@3	35	'secret_key': 'fLjUfxqXtfNoIldA0A0J',
om@3	36	'expired_message': 'Session expired',
om@3	37	'httponly': True,
om@3	38	'secure': False
om@3	39	})
om@3	40
om@3	41	class SessionExpired(web.HTTPError):
om@3	42	def __init__(self, message):
om@3	43	web.HTTPError.__init__(self, '200 OK', {}, data=message)
om@3	44
om@3	45	class Session(object):
om@3	46	"""Session management for web.py
om@3	47	"""
om@3	48	__slots__ = [
om@3	49	"store", "_initializer", "_last_cleanup_time", "_config", "_data",
om@3	50	"__getitem__", "__setitem__", "__delitem__"
om@3	51	]
om@3	52
om@3	53	def __init__(self, app, store, initializer=None):
om@3	54	self.store = store
om@3	55	self._initializer = initializer
om@3	56	self._last_cleanup_time = 0
om@3	57	self._config = utils.storage(web.config.session_parameters)
om@3	58	self._data = utils.threadeddict()
om@3	59
om@3	60	self.__getitem__ = self._data.__getitem__
om@3	61	self.__setitem__ = self._data.__setitem__
om@3	62	self.__delitem__ = self._data.__delitem__
om@3	63
om@3	64	if app:
om@3	65	app.add_processor(self._processor)
om@3	66
om@3	67	def __contains__(self, name):
om@3	68	return name in self._data
om@3	69
om@3	70	def __getattr__(self, name):
om@3	71	return getattr(self._data, name)
om@3	72
om@3	73	def __setattr__(self, name, value):
om@3	74	if name in self.__slots__:
om@3	75	object.__setattr__(self, name, value)
om@3	76	else:
om@3	77	setattr(self._data, name, value)
om@3	78
om@3	79	def __delattr__(self, name):
om@3	80	delattr(self._data, name)
om@3	81
om@3	82	def _processor(self, handler):
om@3	83	"""Application processor to setup session for every request"""
om@3	84	self._cleanup()
om@3	85	self._load()
om@3	86
om@3	87	try:
om@3	88	return handler()
om@3	89	finally:
om@3	90	self._save()
om@3	91
om@3	92	def _load(self):
om@3	93	"""Load the session from the store, by the id from cookie"""
om@3	94	cookie_name = self._config.cookie_name
om@3	95	cookie_domain = self._config.cookie_domain
om@3	96	cookie_path = self._config.cookie_path
om@3	97	httponly = self._config.httponly
om@3	98	self.session_id = web.cookies().get(cookie_name)
om@3	99
om@3	100	# protection against session_id tampering
om@3	101	if self.session_id and not self._valid_session_id(self.session_id):
om@3	102	self.session_id = None
om@3	103
om@3	104	self._check_expiry()
om@3	105	if self.session_id:
om@3	106	d = self.store[self.session_id]
om@3	107	self.update(d)
om@3	108	self._validate_ip()
om@3	109
om@3	110	if not self.session_id:
om@3	111	self.session_id = self._generate_session_id()
om@3	112
om@3	113	if self._initializer:
om@3	114	if isinstance(self._initializer, dict):
om@3	115	self.update(deepcopy(self._initializer))
om@3	116	elif hasattr(self._initializer, '__call__'):
om@3	117	self._initializer()
om@3	118
om@3	119	self.ip = web.ctx.ip
om@3	120
om@3	121	def _check_expiry(self):
om@3	122	# check for expiry
om@3	123	if self.session_id and self.session_id not in self.store:
om@3	124	if self._config.ignore_expiry:
om@3	125	self.session_id = None
om@3	126	else:
om@3	127	return self.expired()
om@3	128
om@3	129	def _validate_ip(self):
om@3	130	# check for change of IP
om@3	131	if self.session_id and self.get('ip', None) != web.ctx.ip:
om@3	132	if not self._config.ignore_change_ip:
om@3	133	return self.expired()
om@3	134
om@3	135	def _save(self):
om@3	136	if not self.get('_killed'):
om@3	137	self._setcookie(self.session_id)
om@3	138	self.store[self.session_id] = dict(self._data)
om@3	139	else:
om@3	140	self._setcookie(self.session_id, expires=-1)
om@3	141
om@3	142	def _setcookie(self, session_id, expires='', **kw):
om@3	143	cookie_name = self._config.cookie_name
om@3	144	cookie_domain = self._config.cookie_domain
om@3	145	cookie_path = self._config.cookie_path
om@3	146	httponly = self._config.httponly
om@3	147	secure = self._config.secure
om@3	148	web.setcookie(cookie_name, session_id, expires=expires, domain=cookie_domain, httponly=httponly, secure=secure, path=cookie_path)
om@3	149
om@3	150	def _generate_session_id(self):
om@3	151	"""Generate a random id for session"""
om@3	152
om@3	153	while True:
om@3	154	rand = os.urandom(16)
om@3	155	now = time.time()
om@3	156	secret_key = self._config.secret_key
om@3	157	session_id = sha1("%s%s%s%s" %(rand, now, utils.safestr(web.ctx.ip), secret_key))
om@3	158	session_id = session_id.hexdigest()
om@3	159	if session_id not in self.store:
om@3	160	break
om@3	161	return session_id
om@3	162
om@3	163	def _valid_session_id(self, session_id):
om@3	164	rx = utils.re_compile('^[0-9a-fA-F]+$')
om@3	165	return rx.match(session_id)
om@3	166
om@3	167	def _cleanup(self):
om@3	168	"""Cleanup the stored sessions"""
om@3	169	current_time = time.time()
om@3	170	timeout = self._config.timeout
om@3	171	if current_time - self._last_cleanup_time > timeout:
om@3	172	self.store.cleanup(timeout)
om@3	173	self._last_cleanup_time = current_time
om@3	174
om@3	175	def expired(self):
om@3	176	"""Called when an expired session is atime"""
om@3	177	self._killed = True
om@3	178	self._save()
om@3	179	raise SessionExpired(self._config.expired_message)
om@3	180
om@3	181	def kill(self):
om@3	182	"""Kill the session, make it no longer available"""
om@3	183	del self.store[self.session_id]
om@3	184	self._killed = True
om@3	185
om@3	186	class Store:
om@3	187	"""Base class for session stores"""
om@3	188
om@3	189	def __contains__(self, key):
om@3	190	raise NotImplementedError
om@3	191
om@3	192	def __getitem__(self, key):
om@3	193	raise NotImplementedError
om@3	194
om@3	195	def __setitem__(self, key, value):
om@3	196	raise NotImplementedError
om@3	197
om@3	198	def cleanup(self, timeout):
om@3	199	"""removes all the expired sessions"""
om@3	200	raise NotImplementedError
om@3	201
om@3	202	def encode(self, session_dict):
om@3	203	"""encodes session dict as a string"""
om@3	204	pickled = pickle.dumps(session_dict)
om@3	205	return base64.encodestring(pickled)
om@3	206
om@3	207	def decode(self, session_data):
om@3	208	"""decodes the data to get back the session dict """
om@3	209	pickled = base64.decodestring(session_data)
om@3	210	return pickle.loads(pickled)
om@3	211
om@3	212	class DiskStore(Store):
om@3	213	"""
om@3	214	Store for saving a session on disk.
om@3	215
om@3	216	>>> import tempfile
om@3	217	>>> root = tempfile.mkdtemp()
om@3	218	>>> s = DiskStore(root)
om@3	219	>>> s['a'] = 'foo'
om@3	220	>>> s['a']
om@3	221	'foo'
om@3	222	>>> time.sleep(0.01)
om@3	223	>>> s.cleanup(0.01)
om@3	224	>>> s['a']
om@3	225	Traceback (most recent call last):
om@3	226	...
om@3	227	KeyError: 'a'
om@3	228	"""
om@3	229	def __init__(self, root):
om@3	230	# if the storage root doesn't exists, create it.
om@3	231	if not os.path.exists(root):
om@3	232	os.makedirs(
om@3	233	os.path.abspath(root)
om@3	234	)
om@3	235	self.root = root
om@3	236
om@3	237	def _get_path(self, key):
om@3	238	if os.path.sep in key:
om@3	239	raise ValueError, "Bad key: %s" % repr(key)
om@3	240	return os.path.join(self.root, key)
om@3	241
om@3	242	def __contains__(self, key):
om@3	243	path = self._get_path(key)
om@3	244	return os.path.exists(path)
om@3	245
om@3	246	def __getitem__(self, key):
om@3	247	path = self._get_path(key)
om@3	248	if os.path.exists(path):
om@3	249	pickled = open(path).read()
om@3	250	return self.decode(pickled)
om@3	251	else:
om@3	252	raise KeyError, key
om@3	253
om@3	254	def __setitem__(self, key, value):
om@3	255	path = self._get_path(key)
om@3	256	pickled = self.encode(value)
om@3	257	try:
om@3	258	f = open(path, 'w')
om@3	259	try:
om@3	260	f.write(pickled)
om@3	261	finally:
om@3	262	f.close()
om@3	263	except IOError:
om@3	264	pass
om@3	265
om@3	266	def __delitem__(self, key):
om@3	267	path = self._get_path(key)
om@3	268	if os.path.exists(path):
om@3	269	os.remove(path)
om@3	270
om@3	271	def cleanup(self, timeout):
om@3	272	now = time.time()
om@3	273	for f in os.listdir(self.root):
om@3	274	path = self._get_path(f)
om@3	275	atime = os.stat(path).st_atime
om@3	276	if now - atime > timeout :
om@3	277	os.remove(path)
om@3	278
om@3	279	class DBStore(Store):
om@3	280	"""Store for saving a session in database
om@3	281	Needs a table with the following columns:
om@3	282
om@3	283	session_id CHAR(128) UNIQUE NOT NULL,
om@3	284	atime DATETIME NOT NULL default current_timestamp,
om@3	285	data TEXT
om@3	286	"""
om@3	287	def __init__(self, db, table_name):
om@3	288	self.db = db
om@3	289	self.table = table_name
om@3	290
om@3	291	def __contains__(self, key):
om@3	292	data = self.db.select(self.table, where="session_id=$key", vars=locals())
om@3	293	return bool(list(data))
om@3	294
om@3	295	def __getitem__(self, key):
om@3	296	now = datetime.datetime.now()
om@3	297	try:
om@3	298	s = self.db.select(self.table, where="session_id=$key", vars=locals())[0]
om@3	299	self.db.update(self.table, where="session_id=$key", atime=now, vars=locals())
om@3	300	except IndexError:
om@3	301	raise KeyError
om@3	302	else:
om@3	303	return self.decode(s.data)
om@3	304
om@3	305	def __setitem__(self, key, value):
om@3	306	pickled = self.encode(value)
om@3	307	now = datetime.datetime.now()
om@3	308	if key in self:
om@3	309	self.db.update(self.table, where="session_id=$key", data=pickled, vars=locals())
om@3	310	else:
om@3	311	self.db.insert(self.table, False, session_id=key, data=pickled )
om@3	312
om@3	313	def __delitem__(self, key):
om@3	314	self.db.delete(self.table, where="session_id=$key", vars=locals())
om@3	315
om@3	316	def cleanup(self, timeout):
om@3	317	timeout = datetime.timedelta(timeout/(24.06060)) #timedelta takes numdays as arg
om@3	318	last_allowed_time = datetime.datetime.now() - timeout
om@3	319	self.db.delete(self.table, where="$last_allowed_time > atime", vars=locals())
om@3	320
om@3	321	class ShelfStore:
om@3	322	"""Store for saving session using `shelve` module.
om@3	323
om@3	324	import shelve
om@3	325	store = ShelfStore(shelve.open('session.shelf'))
om@3	326
om@3	327	XXX: is shelve thread-safe?
om@3	328	"""
om@3	329	def __init__(self, shelf):
om@3	330	self.shelf = shelf
om@3	331
om@3	332	def __contains__(self, key):
om@3	333	return key in self.shelf
om@3	334
om@3	335	def __getitem__(self, key):
om@3	336	atime, v = self.shelf[key]
om@3	337	self[key] = v # update atime
om@3	338	return v
om@3	339
om@3	340	def __setitem__(self, key, value):
om@3	341	self.shelf[key] = time.time(), value
om@3	342
om@3	343	def __delitem__(self, key):
om@3	344	try:
om@3	345	del self.shelf[key]
om@3	346	except KeyError:
om@3	347	pass
om@3	348
om@3	349	def cleanup(self, timeout):
om@3	350	now = time.time()
om@3	351	for k in self.shelf.keys():
om@3	352	atime, v = self.shelf[k]
om@3	353	if now - atime > timeout :
om@3	354	del self[k]
om@3	355
om@3	356	if __name__ == '__main__' :
om@3	357	import doctest
om@3	358	doctest.testmod()

author	om
	Mon, 02 Dec 2013 14:02:05 +0100
changeset 3	65432e6c6042
permissions	-rwxr-xr-x