django1/django/contrib/sessions/middleware.py

from django.conf import settings
from django.contrib.sessions.models import Session
from django.core.exceptions import SuspiciousOperation
from django.utils.cache import patch_vary_headers
import datetime

TEST_COOKIE_NAME = 'testcookie'
TEST_COOKIE_VALUE = 'worked'

class SessionWrapper(object):
    def __init__(self, session_key):
        self.session_key = session_key
        self.accessed = False
        self.modified = False

    def __contains__(self, key):
        return key in self._session

    def __getitem__(self, key):
        return self._session[key]

    def __setitem__(self, key, value):
        self._session[key] = value
        self.modified = True

    def __delitem__(self, key):
        del self._session[key]
        self.modified = True

    def keys(self):
        return self._session.keys()

    def items(self):
        return self._session.items()

    def get(self, key, default=None):
        return self._session.get(key, default)

    def set_test_cookie(self):
        self[TEST_COOKIE_NAME] = TEST_COOKIE_VALUE

    def test_cookie_worked(self):
        return self.get(TEST_COOKIE_NAME) == TEST_COOKIE_VALUE

    def delete_test_cookie(self):
        del self[TEST_COOKIE_NAME]

    def _get_session(self):
        # Lazily loads session from storage.
        self.accessed = True
        try:
            return self._session_cache
        except AttributeError:
            if self.session_key is None:
                self._session_cache = {}
            else:
                try:
                    s = Session.objects.get(session_key=self.session_key,
                        expire_date__gt=datetime.datetime.now())
                    self._session_cache = s.get_decoded()
                except (Session.DoesNotExist, SuspiciousOperation):
                    self._session_cache = {}
                    # Set the session_key to None to force creation of a new
                    # key, for extra security.
                    self.session_key = None
            return self._session_cache

    _session = property(_get_session)

class SessionMiddleware(object):
    def process_request(self, request):
        request.session = SessionWrapper(request.COOKIES.get(settings.SESSION_COOKIE_NAME, None))

    def process_response(self, request, response):
        # If request.session was modified, or if response.session was set, save
        # those changes and set a session cookie.
        try:
            accessed = request.session.accessed
            modified = request.session.modified
        except AttributeError:
            pass
        else:
            if accessed:
                patch_vary_headers(response, ('Cookie',))
            if modified or settings.SESSION_SAVE_EVERY_REQUEST:
                if request.session.session_key:
                    session_key = request.session.session_key
                else:
                    obj = Session.objects.get_new_session_object()
                    session_key = obj.session_key

                if settings.SESSION_EXPIRE_AT_BROWSER_CLOSE:
                    max_age = None
                    expires = None
                else:
                    max_age = settings.SESSION_COOKIE_AGE
                    expires = datetime.datetime.strftime(datetime.datetime.utcnow() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE), "%a, %d-%b-%Y %H:%M:%S GMT")
                new_session = Session.objects.save(session_key, request.session._session,
                    datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE))
                response.set_cookie(settings.SESSION_COOKIE_NAME, session_key,
                    max_age=max_age, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
                    secure=settings.SESSION_COOKIE_SECURE or None)
        return response
MERGED MAGIC-REMOVAL BRANCH TO TRUNK. This change is highly backwards-incompatible. Please read http://code.djangoproject.com/wiki/RemovingTheMagic for upgrade instructions. git-svn-id: http://code.djangoproject.com/svn/django/trunk@2809 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-05-02 09:31:56 +08:00			`from django.conf import settings`
			`from django.contrib.sessions.models import Session`
Fixed #2133 -- Invalid session cookie no longer causes fatal error. Thanks, greg-django@abbas.org git-svn-id: http://code.djangoproject.com/svn/django/trunk@4423 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-01-25 08:47:44 +08:00			`from django.core.exceptions import SuspiciousOperation`
Fixed #580 -- Added mega support for generating Vary headers, including some view decorators, and changed the CacheMiddleware to account for the Vary header. Also added GZipMiddleware and ConditionalGetMiddleware, which are no longer handled by CacheMiddleware itself. Also updated the cache.txt and middleware.txt docs. Thanks to Hugo and Sune for the excellent patches git-svn-id: http://code.djangoproject.com/svn/django/trunk@810 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-10-09 08:55:08 +08:00			`from django.utils.cache import patch_vary_headers`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`import datetime`

			`TEST_COOKIE_NAME = 'testcookie'`
			`TEST_COOKIE_VALUE = 'worked'`

			`class SessionWrapper(object):`
			`def __init__(self, session_key):`
			`self.session_key = session_key`
Fixed #3586 -- Only output "Vary: Cookie" HTTP header when the session object is accessed. Leads to better caching performance. Thanks, Owen Griffiths. git-svn-id: http://code.djangoproject.com/svn/django/trunk@4680 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-03-08 16:46:59 +08:00			`self.accessed = False`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`self.modified = False`

Fixed #1137 -- Added a _contains_() method to SessionWrapper. Thanks, Brant git-svn-id: http://code.djangoproject.com/svn/django/trunk@1793 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-12-30 03:17:32 +08:00			`def __contains__(self, key):`
			`return key in self._session`

Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`def __getitem__(self, key):`
			`return self._session[key]`

			`def __setitem__(self, key, value):`
			`self._session[key] = value`
			`self.modified = True`

			`def __delitem__(self, key):`
			`del self._session[key]`
			`self.modified = True`

Fixed #1339 -- Added keys() and items() methods to session objects. Thanks, Ned Batchelder git-svn-id: http://code.djangoproject.com/svn/django/trunk@2300 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-02-11 05:33:07 +08:00			`def keys(self):`
			`return self._session.keys()`

			`def items(self):`
			`return self._session.items()`

Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`def get(self, key, default=None):`
			`return self._session.get(key, default)`

			`def set_test_cookie(self):`
			`self[TEST_COOKIE_NAME] = TEST_COOKIE_VALUE`

			`def test_cookie_worked(self):`
			`return self.get(TEST_COOKIE_NAME) == TEST_COOKIE_VALUE`

Added request.session.delete_test_cookie() git-svn-id: http://code.djangoproject.com/svn/django/trunk@669 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-09-23 09:28:44 +08:00			`def delete_test_cookie(self):`
			`del self[TEST_COOKIE_NAME]`

Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`def _get_session(self):`
			`# Lazily loads session from storage.`
Fixed #3586 -- Only output "Vary: Cookie" HTTP header when the session object is accessed. Leads to better caching performance. Thanks, Owen Griffiths. git-svn-id: http://code.djangoproject.com/svn/django/trunk@4680 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-03-08 16:46:59 +08:00			`self.accessed = True`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`try:`
			`return self._session_cache`
			`except AttributeError:`
			`if self.session_key is None:`
			`self._session_cache = {}`
			`else:`
			`try:`
MERGED MAGIC-REMOVAL BRANCH TO TRUNK. This change is highly backwards-incompatible. Please read http://code.djangoproject.com/wiki/RemovingTheMagic for upgrade instructions. git-svn-id: http://code.djangoproject.com/svn/django/trunk@2809 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-05-02 09:31:56 +08:00			`s = Session.objects.get(session_key=self.session_key,`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`expire_date__gt=datetime.datetime.now())`
			`self._session_cache = s.get_decoded()`
Fixed #2133 -- Invalid session cookie no longer causes fatal error. Thanks, greg-django@abbas.org git-svn-id: http://code.djangoproject.com/svn/django/trunk@4423 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-01-25 08:47:44 +08:00			`except (Session.DoesNotExist, SuspiciousOperation):`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`self._session_cache = {}`
Improved session code to force creation of a new session key if the given session key doesn't exist -- for extra security git-svn-id: http://code.djangoproject.com/svn/django/trunk@536 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-19 00:45:15 +08:00			`# Set the session_key to None to force creation of a new`
			`# key, for extra security.`
			`self.session_key = None`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`return self._session_cache`

			`_session = property(_get_session)`

Fixed #2109 -- Convert old-style classes to new-style classes throughout Django. Thanks, Nicola Larosa git-svn-id: http://code.djangoproject.com/svn/django/trunk@3113 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-06-08 13:00:13 +08:00			`class SessionMiddleware(object):`
Changed SessionMiddleware to use process_request instead of process_view -- that way it always gets called, even for 404s git-svn-id: http://code.djangoproject.com/svn/django/trunk@545 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-23 03:19:54 +08:00			`def process_request(self, request):`
MERGED MAGIC-REMOVAL BRANCH TO TRUNK. This change is highly backwards-incompatible. Please read http://code.djangoproject.com/wiki/RemovingTheMagic for upgrade instructions. git-svn-id: http://code.djangoproject.com/svn/django/trunk@2809 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-05-02 09:31:56 +08:00			`request.session = SessionWrapper(request.COOKIES.get(settings.SESSION_COOKIE_NAME, None))`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00
			`def process_response(self, request, response):`
			`# If request.session was modified, or if response.session was set, save`
			`# those changes and set a session cookie.`
			`try:`
Fixed #3586 -- Only output "Vary: Cookie" HTTP header when the session object is accessed. Leads to better caching performance. Thanks, Owen Griffiths. git-svn-id: http://code.djangoproject.com/svn/django/trunk@4680 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-03-08 16:46:59 +08:00			`accessed = request.session.accessed`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`modified = request.session.modified`
			`except AttributeError:`
Fixed #1048 -- Fixed AttributeError in sessions framework when SESSION_SAVE_EVERY_REQUEST is True and no cookie has been set yet. Thanks, Jiri Barton git-svn-id: http://code.djangoproject.com/svn/django/trunk@1978 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-01-15 14:18:03 +08:00			`pass`
			`else:`
Fixed #3586 -- Only output "Vary: Cookie" HTTP header when the session object is accessed. Leads to better caching performance. Thanks, Owen Griffiths. git-svn-id: http://code.djangoproject.com/svn/django/trunk@4680 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-03-08 16:46:59 +08:00			`if accessed:`
			`patch_vary_headers(response, ('Cookie',))`
MERGED MAGIC-REMOVAL BRANCH TO TRUNK. This change is highly backwards-incompatible. Please read http://code.djangoproject.com/wiki/RemovingTheMagic for upgrade instructions. git-svn-id: http://code.djangoproject.com/svn/django/trunk@2809 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-05-02 09:31:56 +08:00			`if modified or settings.SESSION_SAVE_EVERY_REQUEST:`
Reduced the chances of session object collision. The window of opportunity is now about five Python instructions in get_or_create(). This doesn't guarantee no collisions, but should fix many occurrences. Refs #1180. git-svn-id: http://code.djangoproject.com/svn/django/trunk@4771 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-03-22 10:20:33 +08:00			`if request.session.session_key:`
			`session_key = request.session.session_key`
			`else:`
			`obj = Session.objects.get_new_session_object()`
			`session_key = obj.session_key`

Fixed #395 -- Added SESSION_EXPIRE_AT_BROWSER_CLOSE setting, which regulates whether session framework should use browser-session-length cookies. git-svn-id: http://code.djangoproject.com/svn/django/trunk@3049 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-06-02 06:25:06 +08:00			`if settings.SESSION_EXPIRE_AT_BROWSER_CLOSE:`
			`max_age = None`
			`expires = None`
			`else:`
			`max_age = settings.SESSION_COOKIE_AGE`
			`expires = datetime.datetime.strftime(datetime.datetime.utcnow() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE), "%a, %d-%b-%Y %H:%M:%S GMT")`
MERGED MAGIC-REMOVAL BRANCH TO TRUNK. This change is highly backwards-incompatible. Please read http://code.djangoproject.com/wiki/RemovingTheMagic for upgrade instructions. git-svn-id: http://code.djangoproject.com/svn/django/trunk@2809 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-05-02 09:31:56 +08:00			`new_session = Session.objects.save(session_key, request.session._session,`
			`datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE))`
			`response.set_cookie(settings.SESSION_COOKIE_NAME, session_key,`
Fixed #2523 -- Added SESSION_COOKIE_SECURE setting. Thanks, mir@noris.de git-svn-id: http://code.djangoproject.com/svn/django/trunk@3570 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-08-12 14:02:28 +08:00			`max_age=max_age, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,`
			`secure=settings.SESSION_COOKIE_SECURE or None)`
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create. git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-08-17 06:54:05 +08:00			`return response`