django1/django/contrib/sessions/middleware.py

import time
from importlib import import_module

from django.conf import settings
from django.contrib.sessions.backends.base import UpdateError
from django.shortcuts import redirect
from django.utils.cache import patch_vary_headers
from django.utils.deprecation import MiddlewareMixin
from django.utils.http import cookie_date


class SessionMiddleware(MiddlewareMixin):
    def __init__(self, get_response=None):
        self.get_response = get_response
        engine = import_module(settings.SESSION_ENGINE)
        self.SessionStore = engine.SessionStore

    def process_request(self, request):
        session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
        request.session = self.SessionStore(session_key)

    def process_response(self, request, response):
        """
        If request.session was modified, or if the configuration is to save the
        session every time, save the changes and set a session cookie or delete
        the session cookie if the session has been emptied.
        """
        try:
            accessed = request.session.accessed
            modified = request.session.modified
            empty = request.session.is_empty()
        except AttributeError:
            pass
        else:
            # First check if we need to delete this cookie.
            # The session should be deleted only if the session is entirely empty
            if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
                response.delete_cookie(
                    settings.SESSION_COOKIE_NAME,
                    path=settings.SESSION_COOKIE_PATH,
                    domain=settings.SESSION_COOKIE_DOMAIN,
                )
            else:
                if accessed:
                    patch_vary_headers(response, ('Cookie',))
                if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:
                    if request.session.get_expire_at_browser_close():
                        max_age = None
                        expires = None
                    else:
                        max_age = request.session.get_expiry_age()
                        expires_time = time.time() + max_age
                        expires = cookie_date(expires_time)
                    # Save the session data and refresh the client cookie.
                    # Skip session save for 500 responses, refs #3881.
                    if response.status_code != 500:
                        try:
                            request.session.save()
                        except UpdateError:
                            # The user is now logged out; redirecting to same
                            # page will result in a redirect to the login page
                            # if required.
                            return redirect(request.path)
                        response.set_cookie(
                            settings.SESSION_COOKIE_NAME,
                            request.session.session_key, max_age=max_age,
                            expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
                            path=settings.SESSION_COOKIE_PATH,
                            secure=settings.SESSION_COOKIE_SECURE or None,
                            httponly=settings.SESSION_COOKIE_HTTPONLY or None,
                        )
        return response
Fixed imports, indention, and a long line. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6628 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-10-30 07:55:08 +08:00			`import time`
Sorted imports with isort; refs #23860. 2015-01-28 20:35:27 +08:00			`from importlib import import_module`
Fixed imports, indention, and a long line. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6628 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-10-30 07:55:08 +08:00
MERGED MAGIC-REMOVAL BRANCH TO TRUNK. This change is highly backwards-incompatible. Please read http://code.djangoproject.com/wiki/RemovingTheMagic for upgrade instructions. git-svn-id: http://code.djangoproject.com/svn/django/trunk@2809 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-05-02 09:31:56 +08:00			`from django.conf import settings`
Fixed #21608 -- Prevented logged out sessions being resurrected by concurrent requests. Thanks Simon Charette for the review. 2016-01-09 00:08:08 +08:00			`from django.contrib.sessions.backends.base import UpdateError`
			`from django.shortcuts import redirect`
Fixed #580 -- Added mega support for generating Vary headers, including some view decorators, and changed the CacheMiddleware to account for the Vary header. Also added GZipMiddleware and ConditionalGetMiddleware, which are no longer handled by CacheMiddleware itself. Also updated the cache.txt and middleware.txt docs. Thanks to Hugo and Sune for the excellent patches git-svn-id: http://code.djangoproject.com/svn/django/trunk@810 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-10-09 08:55:08 +08:00			`from django.utils.cache import patch_vary_headers`
Fixed #26601 -- Improved middleware per DEP 0005. Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP. 2015-11-07 23:12:37 +08:00			`from django.utils.deprecation import MiddlewareMixin`
Fixed #5816 -- Fixed a regression from [6333] that generates incorrect cookie "expires" dates when using a locale other than English. Introduced `http_date` and `cookie_date` utility functions. Thanks for the report Michael Lemaire. Thanks for the patch Karen Tracey and `SmileyChris`. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6634 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-10-31 11:59:40 +08:00			`from django.utils.http import cookie_date`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00
More attacking E302 violators 2013-11-03 04:12:09 +08:00
Fixed #26601 -- Improved middleware per DEP 0005. Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP. 2015-11-07 23:12:37 +08:00			`class SessionMiddleware(MiddlewareMixin):`
			`def __init__(self, get_response=None):`
			`self.get_response = get_response`
Fixed #8193: all dynamic imports in Django are now done correctly. I know this because Brett Cannon borrowed the time machine and brought Python 2.7's '`importlib` back for inclusion in Django. Thanks for the patch-from-the-future, Brett! git-svn-id: http://code.djangoproject.com/svn/django/trunk@10088 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2009-03-19 00:55:59 +08:00			`engine = import_module(settings.SESSION_ENGINE)`
Define the SessionStore inside __init__ instead of process_request It's unnecessary to run this on every request, since technically, settings should be immutable. 2013-06-30 14:26:10 +08:00			`self.SessionStore = engine.SessionStore`

			`def process_request(self, request):`
Removed unnecessary arguments in .get method calls 2015-05-14 02:51:18 +08:00			`session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)`
Define the SessionStore inside __init__ instead of process_request It's unnecessary to run this on every request, since technically, settings should be immutable. 2013-06-30 14:26:10 +08:00			`request.session = self.SessionStore(session_key)`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00
			`def process_response(self, request, response):`
Fixed #9096 -- Fixed a slightly out-of-date comment. git-svn-id: http://code.djangoproject.com/svn/django/trunk@9062 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-09-17 16:10:55 +08:00			`"""`
			`If request.session was modified, or if the configuration is to save the`
Fixed #20936 -- When logging out/ending a session, don't create a new, empty session. Previously, when logging out, the existing session was overwritten by a new sessionid instead of deleting the session altogether. This behavior added overhead by creating a new session record in whichever backend was in use: db, cache, etc. This extra session is unnecessary at the time since no session data is meant to be preserved when explicitly logging out. 2013-08-19 13:36:36 +08:00			`session every time, save the changes and set a session cookie or delete`
			`the session cookie if the session has been emptied.`
Fixed #9096 -- Fixed a slightly out-of-date comment. git-svn-id: http://code.djangoproject.com/svn/django/trunk@9062 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-09-17 16:10:55 +08:00			`"""`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`try:`
Fixed #3586 -- Only output "Vary: Cookie" HTTP header when the session object is accessed. Leads to better caching performance. Thanks, Owen Griffiths. git-svn-id: http://code.djangoproject.com/svn/django/trunk@4680 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-03-08 16:46:59 +08:00			`accessed = request.session.accessed`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`modified = request.session.modified`
Fixed #20936 -- When logging out/ending a session, don't create a new, empty session. Previously, when logging out, the existing session was overwritten by a new sessionid instead of deleting the session altogether. This behavior added overhead by creating a new session record in whichever backend was in use: db, cache, etc. This extra session is unnecessary at the time since no session data is meant to be preserved when explicitly logging out. 2013-08-19 13:36:36 +08:00			`empty = request.session.is_empty()`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`except AttributeError:`
Fixed #1048 -- Fixed AttributeError in sessions framework when SESSION_SAVE_EVERY_REQUEST is True and no cookie has been set yet. Thanks, Jiri Barton git-svn-id: http://code.djangoproject.com/svn/django/trunk@1978 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-01-15 14:18:03 +08:00			`pass`
			`else:`
Fixed #20936 -- When logging out/ending a session, don't create a new, empty session. Previously, when logging out, the existing session was overwritten by a new sessionid instead of deleting the session altogether. This behavior added overhead by creating a new session record in whichever backend was in use: db, cache, etc. This extra session is unnecessary at the time since no session data is meant to be preserved when explicitly logging out. 2013-08-19 13:36:36 +08:00			`# First check if we need to delete this cookie.`
			`# The session should be deleted only if the session is entirely empty`
			`if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:`
Fixed #26783 -- Fixed SessionMiddleware's empty cookie deletion when using SESSION_COOKIE_PATH. 2016-06-21 23:03:25 +08:00			`response.delete_cookie(`
			`settings.SESSION_COOKIE_NAME,`
			`path=settings.SESSION_COOKIE_PATH,`
			`domain=settings.SESSION_COOKIE_DOMAIN,`
			`)`
Fixed #20936 -- When logging out/ending a session, don't create a new, empty session. Previously, when logging out, the existing session was overwritten by a new sessionid instead of deleting the session altogether. This behavior added overhead by creating a new session record in whichever backend was in use: db, cache, etc. This extra session is unnecessary at the time since no session data is meant to be preserved when explicitly logging out. 2013-08-19 13:36:36 +08:00			`else:`
			`if accessed:`
			`patch_vary_headers(response, ('Cookie',))`
Fixed DoS possiblity in contrib.auth.views.logout() Thanks Florian Apolloner and Carl Meyer for review. This is a security fix. 2015-08-06 04:51:42 +08:00			`if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:`
Fixed #20936 -- When logging out/ending a session, don't create a new, empty session. Previously, when logging out, the existing session was overwritten by a new sessionid instead of deleting the session altogether. This behavior added overhead by creating a new session record in whichever backend was in use: db, cache, etc. This extra session is unnecessary at the time since no session data is meant to be preserved when explicitly logging out. 2013-08-19 13:36:36 +08:00			`if request.session.get_expire_at_browser_close():`
			`max_age = None`
			`expires = None`
			`else:`
			`max_age = request.session.get_expiry_age()`
			`expires_time = time.time() + max_age`
			`expires = cookie_date(expires_time)`
			`# Save the session data and refresh the client cookie.`
			`# Skip session save for 500 responses, refs #3881.`
			`if response.status_code != 500:`
Fixed #21608 -- Prevented logged out sessions being resurrected by concurrent requests. Thanks Simon Charette for the review. 2016-01-09 00:08:08 +08:00			`try:`
			`request.session.save()`
			`except UpdateError:`
			`# The user is now logged out; redirecting to same`
			`# page will result in a redirect to the login page`
			`# if required.`
			`return redirect(request.path)`
Fixed E128 flake8 warnings in django/. 2016-03-29 06:33:29 +08:00			`response.set_cookie(`
			`settings.SESSION_COOKIE_NAME,`
			`request.session.session_key, max_age=max_age,`
			`expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,`
			`path=settings.SESSION_COOKIE_PATH,`
			`secure=settings.SESSION_COOKIE_SECURE or None,`
			`httponly=settings.SESSION_COOKIE_HTTPONLY or None,`
			`)`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`return response`