Changeset 1840
- Timestamp:
- 01/12/08 19:22:22
- Files:
-
- trunk/cherrypy/lib/sessions.py (modified) (5 diffs)
- trunk/cherrypy/test/test_session.py (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/cherrypy/lib/sessions.py
r1838 r1840 31 31 __metaclass__ = cherrypy._AttributeDocstrings 32 32 33 id = None 33 _id = None 34 id_observers = None 35 id_observers__doc = "A list of callbacks to which to pass new id's." 36 34 37 id__doc = "The current session ID." 38 def _get_id(self): 39 return self._id 40 def _set_id(self, value): 41 self._id = value 42 for o in self.id_observers: 43 o(value) 44 id = property(_get_id, _set_id, doc=id__doc) 35 45 36 46 timeout = 60 … … 54 64 55 65 def __init__(self, id=None, **kwargs): 66 self.id_observers = [] 56 67 self._data = {} 57 68 … … 63 74 else: 64 75 self.id = id 76 if self._load() is None: 77 # Expired or malicious session. Make a new one. 78 # See http://www.cherrypy.org/ticket/709. 79 self.id = None 80 self.regenerate() 65 81 66 82 def regenerate(self): … … 119 135 # data is either None or a tuple (session_data, expiration_time) 120 136 if data is None or data[1] < datetime.datetime.now(): 121 # Expired session: flush session data (but keep the same id)137 # Expired session: flush session data 122 138 self._data = {} 123 139 else: … … 548 564 kwargs['clean_freq'] = clean_freq 549 565 cherrypy.serving.session = sess = storage_class(id, **kwargs) 566 def update_cookie(id): 567 """Update the cookie every time the session id changes.""" 568 cherrypy.response.cookie[name] = id 569 sess.id_observers.append(update_cookie) 550 570 551 571 # Create cherrypy.session which will proxy to cherrypy.serving.session trunk/cherrypy/test/test_session.py
r1803 r1840 26 26 'tools.sessions.storage_type' : 'ram', 27 27 'tools.sessions.storage_path' : localDir, 28 'tools.sessions.timeout': 0.017, # 1.02 secs29 'tools.sessions.clean_freq': 0.017,28 'tools.sessions.timeout': (1.0 / 60), 29 'tools.sessions.clean_freq': (1.0 / 60), 30 30 } 31 31 … … 99 99 class SessionTest(helper.CPWebCase): 100 100 101 def tearDown(self): 102 # Clean up sessions. 103 for fname in os.listdir(localDir): 104 if fname.startswith(sessions.FileSession.SESSION_PREFIX): 105 os.unlink(os.path.join(localDir, fname)) 106 101 107 def test_0_Session(self): 102 108 self.getPage('/testStr') … … 119 125 self.assertStatus(200) 120 126 121 # Wait for the session.timeout (1 .02 secs)122 time.sleep( 1.25)127 # Wait for the session.timeout (1 second) 128 time.sleep(2) 123 129 self.getPage('/') 124 130 self.assertBody('1') … … 218 224 id2 = self.cookies[0][1].split(";", 1)[0].split("=", 1)[1] 219 225 self.assertNotEqual(id1, id2) 226 227 self.getPage('/testStr') 228 # grab the cookie ID 229 id1 = self.cookies[0][1].split(";", 1)[0].split("=", 1)[1] 230 self.getPage('/testStr', 231 headers=[('Cookie', 232 'session_id=maliciousid; ' 233 'expires=Sat, 27 Oct 2017 04:18:28 GMT; Path=/;')]) 234 id2 = self.cookies[0][1].split(";", 1)[0].split("=", 1)[1] 235 self.assertNotEqual(id1, id2) 236 self.assertNotEqual(id2, 'maliciousid') 220 237 221 238 … … 261 278 self.assertStatus(200) 262 279 263 # Wait for the session.timeout (1 .02 secs)280 # Wait for the session.timeout (1 second) 264 281 time.sleep(1.25) 265 282 self.getPage('/')
