145 lines
5.1 KiB
Python
145 lines
5.1 KiB
Python
import errno
|
|
import os
|
|
import tempfile
|
|
|
|
from django.conf import settings
|
|
from django.contrib.sessions.backends.base import SessionBase, CreateError
|
|
from django.core.exceptions import SuspiciousOperation, ImproperlyConfigured
|
|
|
|
|
|
class SessionStore(SessionBase):
|
|
"""
|
|
Implements a file based session store.
|
|
"""
|
|
def __init__(self, session_key=None):
|
|
self.storage_path = getattr(settings, "SESSION_FILE_PATH", None)
|
|
if not self.storage_path:
|
|
self.storage_path = tempfile.gettempdir()
|
|
|
|
# Make sure the storage path is valid.
|
|
if not os.path.isdir(self.storage_path):
|
|
raise ImproperlyConfigured(
|
|
"The session storage path %r doesn't exist. Please set your"
|
|
" SESSION_FILE_PATH setting to an existing directory in which"
|
|
" Django can store session data." % self.storage_path)
|
|
|
|
self.file_prefix = settings.SESSION_COOKIE_NAME
|
|
super(SessionStore, self).__init__(session_key)
|
|
|
|
VALID_KEY_CHARS = set("abcdef0123456789")
|
|
|
|
def _key_to_file(self, session_key=None):
|
|
"""
|
|
Get the file associated with this session key.
|
|
"""
|
|
if session_key is None:
|
|
session_key = self._get_or_create_session_key()
|
|
|
|
# Make sure we're not vulnerable to directory traversal. Session keys
|
|
# should always be md5s, so they should never contain directory
|
|
# components.
|
|
if not set(session_key).issubset(self.VALID_KEY_CHARS):
|
|
raise SuspiciousOperation(
|
|
"Invalid characters in session key")
|
|
|
|
return os.path.join(self.storage_path, self.file_prefix + session_key)
|
|
|
|
def load(self):
|
|
session_data = {}
|
|
try:
|
|
with open(self._key_to_file(), "rb") as session_file:
|
|
file_data = session_file.read()
|
|
# Don't fail if there is no data in the session file.
|
|
# We may have opened the empty placeholder file.
|
|
if file_data:
|
|
try:
|
|
session_data = self.decode(file_data)
|
|
except (EOFError, SuspiciousOperation):
|
|
self.create()
|
|
except IOError:
|
|
self.create()
|
|
return session_data
|
|
|
|
def create(self):
|
|
while True:
|
|
self._session_key = self._get_new_session_key()
|
|
try:
|
|
self.save(must_create=True)
|
|
except CreateError:
|
|
continue
|
|
self.modified = True
|
|
self._session_cache = {}
|
|
return
|
|
|
|
def save(self, must_create=False):
|
|
# Get the session data now, before we start messing
|
|
# with the file it is stored within.
|
|
session_data = self._get_session(no_load=must_create)
|
|
|
|
session_file_name = self._key_to_file()
|
|
|
|
try:
|
|
# Make sure the file exists. If it does not already exist, an
|
|
# empty placeholder file is created.
|
|
flags = os.O_WRONLY | os.O_CREAT | getattr(os, 'O_BINARY', 0)
|
|
if must_create:
|
|
flags |= os.O_EXCL
|
|
fd = os.open(session_file_name, flags)
|
|
os.close(fd)
|
|
|
|
except OSError as e:
|
|
if must_create and e.errno == errno.EEXIST:
|
|
raise CreateError
|
|
raise
|
|
|
|
# Write the session file without interfering with other threads
|
|
# or processes. By writing to an atomically generated temporary
|
|
# file and then using the atomic os.rename() to make the complete
|
|
# file visible, we avoid having to lock the session file, while
|
|
# still maintaining its integrity.
|
|
#
|
|
# Note: Locking the session file was explored, but rejected in part
|
|
# because in order to be atomic and cross-platform, it required a
|
|
# long-lived lock file for each session, doubling the number of
|
|
# files in the session storage directory at any given time. This
|
|
# rename solution is cleaner and avoids any additional overhead
|
|
# when reading the session data, which is the more common case
|
|
# unless SESSION_SAVE_EVERY_REQUEST = True.
|
|
#
|
|
# See ticket #8616.
|
|
dir, prefix = os.path.split(session_file_name)
|
|
|
|
try:
|
|
output_file_fd, output_file_name = tempfile.mkstemp(dir=dir,
|
|
prefix=prefix + '_out_')
|
|
renamed = False
|
|
try:
|
|
try:
|
|
os.write(output_file_fd, self.encode(session_data).encode())
|
|
finally:
|
|
os.close(output_file_fd)
|
|
os.rename(output_file_name, session_file_name)
|
|
renamed = True
|
|
finally:
|
|
if not renamed:
|
|
os.unlink(output_file_name)
|
|
|
|
except (OSError, IOError, EOFError):
|
|
pass
|
|
|
|
def exists(self, session_key):
|
|
return os.path.exists(self._key_to_file(session_key))
|
|
|
|
def delete(self, session_key=None):
|
|
if session_key is None:
|
|
if self.session_key is None:
|
|
return
|
|
session_key = self.session_key
|
|
try:
|
|
os.unlink(self._key_to_file(session_key))
|
|
except OSError:
|
|
pass
|
|
|
|
def clean(self):
|
|
pass
|