From 041e24dbde48a38e539f85c378842849f7dc00a1 Mon Sep 17 00:00:00 2001 From: Malcolm Tredinnick Date: Sun, 6 Jan 2008 12:53:09 +0000 Subject: [PATCH] Fixed a subtle corner case whereby sending a bad session ID generates new (unused) session entries in the database table. git-svn-id: http://code.djangoproject.com/svn/django/trunk@7001 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/sessions/backends/db.py | 16 +++++++++------- django/contrib/sessions/backends/file.py | 20 +++++++++++--------- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/django/contrib/sessions/backends/db.py b/django/contrib/sessions/backends/db.py index d1496d63bf..0f79d9ee1a 100644 --- a/django/contrib/sessions/backends/db.py +++ b/django/contrib/sessions/backends/db.py @@ -10,40 +10,42 @@ class SessionStore(SessionBase): """ def __init__(self, session_key=None): super(SessionStore, self).__init__(session_key) - + def load(self): try: s = Session.objects.get( - session_key = self.session_key, + session_key = self.session_key, expire_date__gt=datetime.datetime.now() ) return self.decode(s.session_data) except (Session.DoesNotExist, SuspiciousOperation): - + # Create a new session_key for extra security. self.session_key = self._get_new_session_key() self._session_cache = {} # Save immediately to minimize collision self.save() + # Ensure the user is notified via a new cookie. + self.modified = True return {} - + def exists(self, session_key): try: Session.objects.get(session_key=session_key) except Session.DoesNotExist: return False return True - + def save(self): Session.objects.create( session_key = self.session_key, session_data = self.encode(self._session), expire_date = datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE) ) - + def delete(self, session_key): try: Session.objects.get(session_key=session_key).delete() except Session.DoesNotExist: - pass \ No newline at end of file + pass diff --git a/django/contrib/sessions/backends/file.py b/django/contrib/sessions/backends/file.py index a8c3c69b10..cd3e3d9c75 100644 --- a/django/contrib/sessions/backends/file.py +++ b/django/contrib/sessions/backends/file.py @@ -10,31 +10,31 @@ class SessionStore(SessionBase): """ def __init__(self, session_key=None): self.storage_path = getattr(settings, "SESSION_FILE_PATH", tempfile.gettempdir()) - + # Make sure the storage path is valid. if not os.path.isdir(self.storage_path): raise ImproperlyConfigured("The session storage path %r doesn't exist. "\ "Please set your SESSION_FILE_PATH setting "\ "to an existing directory in which Django "\ "can store session data." % self.storage_path) - - self.file_prefix = settings.SESSION_COOKIE_NAME + + self.file_prefix = settings.SESSION_COOKIE_NAME super(SessionStore, self).__init__(session_key) - + def _key_to_file(self, session_key=None): """ Get the file associated with this session key. """ if session_key is None: session_key = self.session_key - + # Make sure we're not vulnerable to directory traversal. Session keys # should always be md5s, so they should never contain directory components. if os.path.sep in session_key: raise SuspiciousOperation("Invalid characters (directory components) in session key") - + return os.path.join(self.storage_path, self.file_prefix + session_key) - + def load(self): session_data = {} try: @@ -46,6 +46,8 @@ class SessionStore(SessionBase): self._session_key = self._get_new_session_key() self._session_cache = {} self.save() + # Ensure the user is notified via a new cookie. + self.modified = True finally: session_file.close() except(IOError): @@ -66,12 +68,12 @@ class SessionStore(SessionBase): if os.path.exists(self._key_to_file(session_key)): return True return False - + def delete(self, session_key): try: os.unlink(self._key_to_file(session_key)) except OSError: pass - + def clean(self): pass