django1/django/contrib/sessions/backends/cache.py

from django.conf import settings
from django.contrib.sessions.backends.base import CreateError, SessionBase, UpdateError
from django.core.cache import caches

KEY_PREFIX = "django.contrib.sessions.cache"


class SessionStore(SessionBase):
    """
    A cache-based session store.
    """

    cache_key_prefix = KEY_PREFIX

    def __init__(self, session_key=None):
        self._cache = caches[settings.SESSION_CACHE_ALIAS]
        super().__init__(session_key)

    @property
    def cache_key(self):
        return self.cache_key_prefix + self._get_or_create_session_key()

    def load(self):
        try:
            session_data = self._cache.get(self.cache_key)
        except Exception:
            # Some backends (e.g. memcache) raise an exception on invalid
            # cache keys. If this happens, reset the session. See #17810.
            session_data = None
        if session_data is not None:
            return session_data
        self._session_key = None
        return {}

    def create(self):
        # Because a cache can fail silently (e.g. memcache), we don't know if
        # we are failing to create a new session because of a key collision or
        # because the cache is missing. So we try for a (large) number of times
        # and then raise an exception. That's the risk you shoulder if using
        # cache backing.
        for i in range(10000):
            self._session_key = self._get_new_session_key()
            try:
                self.save(must_create=True)
            except CreateError:
                continue
            self.modified = True
            return
        raise RuntimeError(
            "Unable to create a new session key. "
            "It is likely that the cache is unavailable."
        )

    def save(self, must_create=False):
        if self.session_key is None:
            return self.create()
        if must_create:
            func = self._cache.add
        elif self._cache.get(self.cache_key) is not None:
            func = self._cache.set
        else:
            raise UpdateError
        result = func(
            self.cache_key,
            self._get_session(no_load=must_create),
            self.get_expiry_age(),
        )
        if must_create and not result:
            raise CreateError

    def exists(self, session_key):
        return (
            bool(session_key) and (self.cache_key_prefix + session_key) in self._cache
        )

    def delete(self, session_key=None):
        if session_key is None:
            if self.session_key is None:
                return
            session_key = self.session_key
        self._cache.delete(self.cache_key_prefix + session_key)

    @classmethod
    def clear_expired(cls):
        pass
Fixed #17083 -- Allowed sessions to use non-default cache. 2012-10-31 04:59:23 +08:00			`from django.conf import settings`
Fixed #21608 -- Prevented logged out sessions being resurrected by concurrent requests. Thanks Simon Charette for the review. 2016-01-09 00:08:08 +08:00			`from django.contrib.sessions.backends.base import CreateError, SessionBase, UpdateError`
Fixed #21012 -- New API to access cache backends. Thanks Curtis Malony and Florian Apolloner. Squashed commit of the following: commit 3380495e93f5e81b80a251b03ddb0a80b17685f5 Author: Aymeric Augustin <aymeric.augustin@m4x.org> Date: Sat Nov 23 14:18:07 2013 +0100 Looked up the template_fragments cache at runtime. commit 905a74f52b24a198f802520ff06290a94dedc687 Author: Aymeric Augustin <aymeric.augustin@m4x.org> Date: Sat Nov 23 14:19:48 2013 +0100 Removed all uses of create_cache. Refactored the cache tests significantly. Made it safe to override the CACHES setting. commit 35e289fe9285feffed3c60657af9279a6a2cfccc Author: Aymeric Augustin <aymeric.augustin@m4x.org> Date: Sat Nov 23 12:23:57 2013 +0100 Removed create_cache function. commit 8e274f747a1f1c0c0e6c37873e29067f7fa022e8 Author: Aymeric Augustin <aymeric.augustin@m4x.org> Date: Sat Nov 23 12:04:52 2013 +0100 Updated docs to describe a simplified cache backend API. commit ee7eb0f73e6d4699edcf5d357dce715224525cf6 Author: Curtis Maloney <curtis@tinbrain.net> Date: Sat Oct 19 09:49:24 2013 +1100 Fixed #21012 -- Thread-local caches, like databases. 2013-10-19 06:49:24 +08:00			`from django.core.cache import caches`
Fixed #2066: session data can now be stored in the cache or on the filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-09-16 05:29:14 +08:00
Corrected an issue which could allow attackers to manipulate session data using the cache. A security announcement will be made shortly. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16759 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-09-10 08:46:48 +08:00			`KEY_PREFIX = "django.contrib.sessions.cache"`

Fixed an incompatibility with Python 2.5 in the changes done in r17795. Refs #17810. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17796 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-03-23 17:32:11 +08:00
Fixed #2066: session data can now be stored in the cache or on the filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-09-16 05:29:14 +08:00			`class SessionStore(SessionBase):`
			`"""`
Fixed #2548: added get/set_expiry methods to session objects. Thanks, Amit Upadhyay and SmileyChris. git-svn-id: http://code.djangoproject.com/svn/django/trunk@7586 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-06-08 04:28:06 +08:00			`A cache-based session store.`
Fixed #2066: session data can now be stored in the cache or on the filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-09-16 05:29:14 +08:00			`"""`
Refs #33476 -- Reformatted code with Black. 2022-02-04 03:24:19 +08:00
Fixed #22634 -- Made the database-backed session backends more extensible. Introduced an AbstractBaseSession model and hooks providing the option of overriding the model class used by the session store and the session store class used by the model. 2014-05-17 00:18:34 +08:00			`cache_key_prefix = KEY_PREFIX`

Fixed #2066: session data can now be stored in the cache or on the filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-09-16 05:29:14 +08:00			`def __init__(self, session_key=None):`
Fixed #21012 -- New API to access cache backends. Thanks Curtis Malony and Florian Apolloner. Squashed commit of the following: commit 3380495e93f5e81b80a251b03ddb0a80b17685f5 Author: Aymeric Augustin <aymeric.augustin@m4x.org> Date: Sat Nov 23 14:18:07 2013 +0100 Looked up the template_fragments cache at runtime. commit 905a74f52b24a198f802520ff06290a94dedc687 Author: Aymeric Augustin <aymeric.augustin@m4x.org> Date: Sat Nov 23 14:19:48 2013 +0100 Removed all uses of create_cache. Refactored the cache tests significantly. Made it safe to override the CACHES setting. commit 35e289fe9285feffed3c60657af9279a6a2cfccc Author: Aymeric Augustin <aymeric.augustin@m4x.org> Date: Sat Nov 23 12:23:57 2013 +0100 Removed create_cache function. commit 8e274f747a1f1c0c0e6c37873e29067f7fa022e8 Author: Aymeric Augustin <aymeric.augustin@m4x.org> Date: Sat Nov 23 12:04:52 2013 +0100 Updated docs to describe a simplified cache backend API. commit ee7eb0f73e6d4699edcf5d357dce715224525cf6 Author: Curtis Maloney <curtis@tinbrain.net> Date: Sat Oct 19 09:49:24 2013 +1100 Fixed #21012 -- Thread-local caches, like databases. 2013-10-19 06:49:24 +08:00			`self._cache = caches[settings.SESSION_CACHE_ALIAS]`
Refs #23919 -- Replaced super(ClassName, self) with super(). 2017-01-21 21:13:44 +08:00			`super().__init__(session_key)`
Fixed #2548: added get/set_expiry methods to session objects. Thanks, Amit Upadhyay and SmileyChris. git-svn-id: http://code.djangoproject.com/svn/django/trunk@7586 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-06-08 04:28:06 +08:00
Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478. This also removes the implicit initialization of the session key on the first access in favor of explicit initialization. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-11-28 01:52:24 +08:00			`@property`
			`def cache_key(self):`
Fixed #22634 -- Made the database-backed session backends more extensible. Introduced an AbstractBaseSession model and hooks providing the option of overriding the model class used by the session store and the session store class used by the model. 2014-05-17 00:18:34 +08:00			`return self.cache_key_prefix + self._get_or_create_session_key()`
Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478. This also removes the implicit initialization of the session key on the first access in favor of explicit initialization. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-11-28 01:52:24 +08:00
Fixed #2066: session data can now be stored in the cache or on the filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-09-16 05:29:14 +08:00			`def load(self):`
Fixed #17810. Catch session key errors. Catches memcached session key errors related to overly long session keys. This is a long-standing bug, but severity was exacerbated by the addition of cookie-backed session storage, which generates long session values. If an installation switched from cookie-backed session store to memcached, users would not be able to log in because of the server error from overly long memcached keys. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17795 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-03-23 13:31:11 +08:00			`try:`
Removed unnecessary arguments in .get method calls 2015-05-14 02:51:18 +08:00			`session_data = self._cache.get(self.cache_key)`
Fixed #17810 (again). Catch session key errors. The previous commit didn't work with PyLibMC. This solution appears to be the best compromise at this point in the 1.4 release cycle. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17797 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-03-24 00:14:46 +08:00			`except Exception:`
			`# Some backends (e.g. memcache) raise an exception on invalid`
			`# cache keys. If this happens, reset the session. See #17810.`
Fixed #17810. Catch session key errors. Catches memcached session key errors related to overly long session keys. This is a long-standing bug, but severity was exacerbated by the addition of cookie-backed session storage, which generates long session values. If an installation switched from cookie-backed session store to memcached, users would not be able to log in because of the server error from overly long memcached keys. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17795 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-03-23 13:31:11 +08:00			`session_data = None`
Added guaranteed atomic creation of new session objects. Slightly backwards incompatible for custom session backends. Whilst we were in the neighbourhood, use a larger range of session key values to save a small amount of time and use the hardware-base random numbers where available (transparently falls back to pseudo-RNG otherwise). Fixed #1080 git-svn-id: http://code.djangoproject.com/svn/django/trunk@8340 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-14 11:57:18 +08:00			`if session_data is not None:`
			`return session_data`
Fixed #19324 -- Avoided creating a session record when loading the session. The session record is now only created if/when the session is modified. This prevents a potential DoS via creation of many empty session records. This is a security fix; disclosure to follow shortly. 2015-06-11 05:45:20 +08:00			`self._session_key = None`
Fixed #8351 -- Fixed the returned value when we attempt to load a cache-backed session object that doesn't alreayd exist. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8410 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-16 23:54:36 +08:00			`return {}`
Fixed #2066: session data can now be stored in the cache or on the filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-09-16 05:29:14 +08:00
Added guaranteed atomic creation of new session objects. Slightly backwards incompatible for custom session backends. Whilst we were in the neighbourhood, use a larger range of session key values to save a small amount of time and use the hardware-base random numbers where available (transparently falls back to pseudo-RNG otherwise). Fixed #1080 git-svn-id: http://code.djangoproject.com/svn/django/trunk@8340 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-14 11:57:18 +08:00			`def create(self):`
Fixed #8311 -- Avoid an infinite loop with session key generation when using the cache backend and memcached goes away (or is not running). git-svn-id: http://code.djangoproject.com/svn/django/trunk@8620 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-27 16:58:51 +08:00			`# Because a cache can fail silently (e.g. memcache), we don't know if`
			`# we are failing to create a new session because of a key collision or`
			`# because the cache is missing. So we try for a (large) number of times`
			`# and then raise an exception. That's the risk you shoulder if using`
			`# cache backing.`
Fixed #23812 -- Changed django.utils.six.moves.xrange imports to range 2014-12-13 21:04:36 +08:00			`for i in range(10000):`
Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478. This also removes the implicit initialization of the session key on the first access in favor of explicit initialization. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-11-28 01:52:24 +08:00			`self._session_key = self._get_new_session_key()`
Added guaranteed atomic creation of new session objects. Slightly backwards incompatible for custom session backends. Whilst we were in the neighbourhood, use a larger range of session key values to save a small amount of time and use the hardware-base random numbers where available (transparently falls back to pseudo-RNG otherwise). Fixed #1080 git-svn-id: http://code.djangoproject.com/svn/django/trunk@8340 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-14 11:57:18 +08:00			`try:`
			`self.save(must_create=True)`
			`except CreateError:`
			`continue`
			`self.modified = True`
			`return`
Fixed #14093 -- Improved error message in the cache session backend. Thanks stumbles for the patch. 2012-10-28 19:40:10 +08:00			`raise RuntimeError(`
			`"Unable to create a new session key. "`
			`"It is likely that the cache is unavailable."`
			`)`
Added guaranteed atomic creation of new session objects. Slightly backwards incompatible for custom session backends. Whilst we were in the neighbourhood, use a larger range of session key values to save a small amount of time and use the hardware-base random numbers where available (transparently falls back to pseudo-RNG otherwise). Fixed #1080 git-svn-id: http://code.djangoproject.com/svn/django/trunk@8340 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-14 11:57:18 +08:00
			`def save(self, must_create=False):`
Fixed #19324 -- Avoided creating a session record when loading the session. The session record is now only created if/when the session is modified. This prevents a potential DoS via creation of many empty session records. This is a security fix; disclosure to follow shortly. 2015-06-11 05:45:20 +08:00			`if self.session_key is None:`
			`return self.create()`
Added guaranteed atomic creation of new session objects. Slightly backwards incompatible for custom session backends. Whilst we were in the neighbourhood, use a larger range of session key values to save a small amount of time and use the hardware-base random numbers where available (transparently falls back to pseudo-RNG otherwise). Fixed #1080 git-svn-id: http://code.djangoproject.com/svn/django/trunk@8340 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-14 11:57:18 +08:00			`if must_create:`
			`func = self._cache.add`
Refs #21608 -- Fixed incorrect cache key in cache session backend's save(). The bug was introduced commit 3389c5ea229884a1943873fe7e7ffc2800cefc22. 2016-04-04 06:09:10 +08:00			`elif self._cache.get(self.cache_key) is not None:`
Added guaranteed atomic creation of new session objects. Slightly backwards incompatible for custom session backends. Whilst we were in the neighbourhood, use a larger range of session key values to save a small amount of time and use the hardware-base random numbers where available (transparently falls back to pseudo-RNG otherwise). Fixed #1080 git-svn-id: http://code.djangoproject.com/svn/django/trunk@8340 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-14 11:57:18 +08:00			`func = self._cache.set`
Fixed #21608 -- Prevented logged out sessions being resurrected by concurrent requests. Thanks Simon Charette for the review. 2016-01-09 00:08:08 +08:00			`else:`
			`raise UpdateError`
Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478. This also removes the implicit initialization of the session key on the first access in favor of explicit initialization. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-11-28 01:52:24 +08:00			`result = func(`
			`self.cache_key,`
			`self._get_session(no_load=must_create),`
			`self.get_expiry_age(),`
			`)`
Added guaranteed atomic creation of new session objects. Slightly backwards incompatible for custom session backends. Whilst we were in the neighbourhood, use a larger range of session key values to save a small amount of time and use the hardware-base random numbers where available (transparently falls back to pseudo-RNG otherwise). Fixed #1080 git-svn-id: http://code.djangoproject.com/svn/django/trunk@8340 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-14 11:57:18 +08:00			`if must_create and not result:`
			`raise CreateError`
Fixed #2066: session data can now be stored in the cache or on the filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-09-16 05:29:14 +08:00
			`def exists(self, session_key):`
Fixed #28167 -- Fixed cache backend's SessionStore.exists() if session_key is None. 2017-05-03 22:09:28 +08:00			`return (`
			`bool(session_key) and (self.cache_key_prefix + session_key) in self._cache`
Refs #33476 -- Reformatted code with Black. 2022-02-04 03:24:19 +08:00			`)`
Fixed #2548: added get/set_expiry methods to session objects. Thanks, Amit Upadhyay and SmileyChris. git-svn-id: http://code.djangoproject.com/svn/django/trunk@7586 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-06-08 04:28:06 +08:00
Implemented a flush() method on sessions that cleans out the session and regenerates the key. Used to ensure the caller gets a fresh session at logout, for example. Based on a patch from mrts. Refs #7515. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8342 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-14 11:57:46 +08:00			`def delete(self, session_key=None):`
			`if session_key is None:`
Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478. This also removes the implicit initialization of the session key on the first access in favor of explicit initialization. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-11-28 01:52:24 +08:00			`if self.session_key is None:`
Made a few small tweaks to reduce persistent storage accesses in the session backend. Refs #8311, although doesn't fix the problem there. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8381 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-08-15 22:59:11 +08:00			`return`
Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478. This also removes the implicit initialization of the session key on the first access in favor of explicit initialization. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-11-28 01:52:24 +08:00			`session_key = self.session_key`
Fixed #22634 -- Made the database-backed session backends more extensible. Introduced an AbstractBaseSession model and hooks providing the option of overriding the model class used by the session store and the session store class used by the model. 2014-05-17 00:18:34 +08:00			`self._cache.delete(self.cache_key_prefix + session_key)`
Fixed #18194 -- Expiration of file-based sessions * Prevented stale session files from being loaded * Added removal of stale session files in django-admin.py clearsessions Thanks ej for the report, crodjer and Elvard for their inputs. 2012-10-28 05:12:08 +08:00
			`@classmethod`
			`def clear_expired(cls):`
			`pass`