def test_tampering(self):
"""Reject spoofed sessionid cookies by anonymous users"""
with self.assertRaises(SuspiciousOperation):
self.client.cookies.load({settings.SESSION_COOKIE_NAME: "123"})
response = self.client.get(all_users)
python类SESSION_COOKIE_NAME的实例源码
def per_user(request, response, user, age):
"""Content is cached once for anonymous users and for each authenticated
user individually."""
response["Last-Modified"] = httpdate(datetime.datetime.utcnow())
# nginx specific but safe to set in all cases
response["X-Accel-Expires"] = age
response["Cache-Control"] = "max-age=%d, s-maxage=%d" \
% (browser_cache_seconds, age)
response["X-Hash-Cookies"] = "messages|%s" % settings.SESSION_COOKIE_NAME
response["Vary"] = "Accept-Encoding,Cookie"
def process_response(self, request, response):
try:
accessed = request.session.accessed
modified = request.session.modified
empty = request.session.is_empty()
except AttributeError:
pass
else:
# First check if we need to delete this cookie.
# The session should be deleted only if the session is entirely empty
if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
response.delete_cookie(settings.SESSION_COOKIE_NAME)
else:
if accessed:
patch_vary_headers(response, ('Cookie',))
if modified or settings.SESSION_SAVE_EVERY_REQUEST:
if request.session.get_expire_at_browser_close():
max_age = None
expires = None
else:
max_age = request.session.get_expiry_age()
expires_time = time.time() + max_age
expires = cookie_date(expires_time)
# Save the session data and refresh the client cookie.
# Skip session save for 500 responses, refs #3881.
if response.status_code != 500:
request.session.save()
response.set_cookie(
settings.SESSION_COOKIE_NAME,
request.session.session_key, max_age=max_age,
expires=expires,
domain=get_cookie_domain(request),
path=settings.SESSION_COOKIE_PATH,
secure=request.scheme == 'https',
httponly=settings.SESSION_COOKIE_HTTPONLY or None,
)
return response
def __init__(self, session_key=None):
self.storage_path = type(self)._get_storage_path()
self.file_prefix = settings.SESSION_COOKIE_NAME
super(SessionStore, self).__init__(session_key)
def clear_expired(cls):
storage_path = cls._get_storage_path()
file_prefix = settings.SESSION_COOKIE_NAME
for session_file in os.listdir(storage_path):
if not session_file.startswith(file_prefix):
continue
session_key = session_file[len(file_prefix):]
session = cls(session_key)
# When an expired session is loaded, its file is removed, and a
# new file is immediately created. Prevent this by disabling
# the create() method.
session.create = lambda: None
session.load()
def process_request(self, request):
session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
request.session = self.SessionStore(session_key)
def request_started_handler(sender, environ, **kwargs):
if not should_log_url(environ['PATH_INFO']):
return
# get the user from cookies
user = None
if environ.get('HTTP_COOKIE'):
cookie = SimpleCookie() # python3 compatibility
cookie.load(environ['HTTP_COOKIE'])
session_cookie_name = settings.SESSION_COOKIE_NAME
if session_cookie_name in cookie:
session_id = cookie[session_cookie_name].value
try:
session = Session.objects.get(session_key=session_id)
except Session.DoesNotExist:
session = None
if session:
user_id = session.get_decoded().get('_auth_user_id')
try:
user = get_user_model().objects.get(id=user_id)
except:
user = None
request_event = RequestEvent.objects.create(
url=environ['PATH_INFO'],
method=environ['REQUEST_METHOD'],
query_string=environ['QUERY_STRING'],
user=user,
remote_ip=environ['REMOTE_ADDR'],
datetime=timezone.now()
)
def __init__(self, session_key=None):
self.storage_path = type(self)._get_storage_path()
self.file_prefix = settings.SESSION_COOKIE_NAME
super(SessionStore, self).__init__(session_key)
def clear_expired(cls):
storage_path = cls._get_storage_path()
file_prefix = settings.SESSION_COOKIE_NAME
for session_file in os.listdir(storage_path):
if not session_file.startswith(file_prefix):
continue
session_key = session_file[len(file_prefix):]
session = cls(session_key)
# When an expired session is loaded, its file is removed, and a
# new file is immediately created. Prevent this by disabling
# the create() method.
session.create = lambda: None
session.load()
def process_request(self, request):
session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME, None)
request.session = self.SessionStore(session_key)
def process_response(self, request, response):
"""
If request.session was modified, or if the configuration is to save the
session every time, save the changes and set a session cookie or delete
the session cookie if the session has been emptied.
"""
try:
accessed = request.session.accessed
modified = request.session.modified
empty = request.session.is_empty()
except AttributeError:
pass
else:
# First check if we need to delete this cookie.
# The session should be deleted only if the session is entirely empty
if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
response.delete_cookie(settings.SESSION_COOKIE_NAME,
domain=settings.SESSION_COOKIE_DOMAIN)
else:
if accessed:
patch_vary_headers(response, ('Cookie',))
if modified or settings.SESSION_SAVE_EVERY_REQUEST:
if request.session.get_expire_at_browser_close():
max_age = None
expires = None
else:
max_age = request.session.get_expiry_age()
expires_time = time.time() + max_age
expires = cookie_date(expires_time)
# Save the session data and refresh the client cookie.
# Skip session save for 500 responses, refs #3881.
if response.status_code != 500:
request.session.save()
response.set_cookie(settings.SESSION_COOKIE_NAME,
request.session.session_key, max_age=max_age,
expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
path=settings.SESSION_COOKIE_PATH,
secure=settings.SESSION_COOKIE_SECURE or None,
httponly=settings.SESSION_COOKIE_HTTPONLY or None)
return response
def test_add_product(self):
""" POST request to a product page augments the CartItem instance count """
quantity = 2
product_url = self.product.get_absolute_url()
response = self.client.get(product_url)
self.assertEqual(response.status_code, httplib.OK )
# store count in cart_count variable
cart_item_count = self.get_cart_item_count()
# assert that the cart item count is zero
self.failUnlessEqual(cart_item_count, 0)
# perform the post of adding to the cart
cookie = self.client.cookies[settings.SESSION_COOKIE_NAME]
csrf_token = csrf.middleware._make_token(cookie.value)
#self.failUnlessEqual(csrf_token, None)
postdata = {'product_slug': self.product.slug,
'quantity': quantity,
'csrfmiddlewaretoken': csrf_token }
response = self.client.post(product_url, postdata )
# assert redirected to cart page - 302 then 200?
cart_url = urlresolvers.reverse('show_cart')
self.assertRedirects(response, cart_url, status_code=httplib.FOUND, target_status_code=httplib.OK)
# assert cart item count is incremented by one
self.assertEqual(self.get_cart_item_count(), cart_item_count + 1)
cart_id = self.get_cart_id()
last_item = CartItem.objects.filter(cart_id=cart_id).latest('date_added')
# assert the latest cart item has a quantity of two
self.failUnlessEqual(last_item.quantity, quantity)
# assert the latest cart item is the correct product
self.failUnlessEqual(last_item.product, self.product)
def __init__(self, session_key=None):
self.storage_path = type(self)._get_storage_path()
self.file_prefix = settings.SESSION_COOKIE_NAME
super(SessionStore, self).__init__(session_key)
def clear_expired(cls):
storage_path = cls._get_storage_path()
file_prefix = settings.SESSION_COOKIE_NAME
for session_file in os.listdir(storage_path):
if not session_file.startswith(file_prefix):
continue
session_key = session_file[len(file_prefix):]
session = cls(session_key)
# When an expired session is loaded, its file is removed, and a
# new file is immediately created. Prevent this by disabling
# the create() method.
session.create = lambda: None
session.load()
def process_request(self, request):
session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
request.session = self.SessionStore(session_key)
def process_response(self, request, response):
"""
If request.session was modified, or if the configuration is to save the
session every time, save the changes and set a session cookie or delete
the session cookie if the session has been emptied.
"""
try:
accessed = request.session.accessed
modified = request.session.modified
empty = request.session.is_empty()
except AttributeError:
pass
else:
# First check if we need to delete this cookie.
# The session should be deleted only if the session is entirely empty
if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
response.delete_cookie(settings.SESSION_COOKIE_NAME,
domain=settings.SESSION_COOKIE_DOMAIN)
else:
if accessed:
patch_vary_headers(response, ('Cookie',))
if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:
if request.session.get_expire_at_browser_close():
max_age = None
expires = None
else:
max_age = request.session.get_expiry_age()
expires_time = time.time() + max_age
expires = cookie_date(expires_time)
# Save the session data and refresh the client cookie.
# Skip session save for 500 responses, refs #3881.
if response.status_code != 500:
request.session.save()
response.set_cookie(settings.SESSION_COOKIE_NAME,
request.session.session_key, max_age=max_age,
expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
path=settings.SESSION_COOKIE_PATH,
secure=settings.SESSION_COOKIE_SECURE or None,
httponly=settings.SESSION_COOKIE_HTTPONLY or None)
return response
def process_request(self, request, *args, **kwargs):
sessionid = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
if (sessionid is not None) and (not isinstance(request.user, AnonymousUser)):
redis_client = redis.StrictRedis(host='localhost', port=6379, db=0)
redis_client.set(request.user.id, sessionid)
def __init__(self, session_key=None):
self.storage_path = type(self)._get_storage_path()
self.file_prefix = settings.SESSION_COOKIE_NAME
super(SessionStore, self).__init__(session_key)
