Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/django/contrib/sessions/backends/base.py
Commit message (Collapse)AuthorAgeFilesLines
* Fixed #24915 -- Added stricter session key validationDavid Bannon2015-06-071-1/+18
| | | | | | Changed _session_key attribute to a property and implemented basic validation in the setter. The session key must be 'truthy' and at least 8 characters long. Otherwise, the value is set to None.
* Fixed #24621 -- Fixed and documented SessionBase.pop's ↵Adam Zapletal2015-04-131-2/+2
| | | | | | | | second argument Changed SessionBase.pop's second argument to explicitly be default=None rather than *args since _session is always a dict. Thanks gabor for the report and Tim Graham for the review.
* Sorted imports with isort; refs #23860.Tim Graham2015-02-061-6/+5
|
* Fixed #20936 -- When logging out/ending a session, don't ↵Matt Robenolt2014-05-121-1/+8
| | | | | | | | | | | | | create a new, empty session. Previously, when logging out, the existing session was overwritten by a new sessionid instead of deleting the session altogether. This behavior added overhead by creating a new session record in whichever backend was in use: db, cache, etc. This extra session is unnecessary at the time since no session data is meant to be preserved when explicitly logging out.
* Fixed #21674 -- Deprecated the import_by_path() function ↵Berker Peksag2014-02-081-2/+2
| | | | | | in favor of import_string(). Thanks Aymeric Augustin for the suggestion and review.
* More attacking E302 violatorsAlex Gaynor2013-11-021-0/+2
|
* Fixed #20841 -- Added messages to NotImplementedErrorsGregor MacGregor2013-09-101-6/+6
| | | | Thanks joseph at vertstudios.com for the suggestion.
* Fixed #20922 -- Allowed customizing the serializer used ↵Tim Graham2013-08-221-12/+9
| | | | | | | | | by contrib.sessions Added settings.SESSION_SERIALIZER which is the import path of a serializer to use for sessions. Thanks apollo13, carljm, shaib, akaariai, charettes, and dstufft for reviews.
* Fixed #19866 -- Added security logger and return 400 for ↵Preston Holmes2013-05-261-3/+11
| | | | | | | | | | | | SuspiciousOperation. SuspiciousOperations have been differentiated into subclasses, and are now logged to a 'django.security.*' logger. SuspiciousOperations that reach django.core.handlers.base.BaseHandler will now return a 400 instead of a 500. Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft for review.
* Fixed #19356 -- Increased session key entropy.Aymeric Augustin2012-11-291-5/+6
|
* Fixed #18194 -- Expiration of file-based sessionsAymeric Augustin2012-10-281-1/+11
| | | | | | | * Prevented stale session files from being loaded * Added removal of stale session files in django-admin.py clearsessions Thanks ej for the report, crodjer and Elvard for their inputs.
* Added optional kwargs to get_expiry_age/date.Aymeric Augustin2012-10-271-8/+32
| | | | | | | | | | | This change allows for cleaner tests: we can test the exact output. Refs #18194: this change makes it possible to compute session expiry dates at times other than when the session is saved. Fixed #18458: the existence of the `modification` kwarg implies that you must pass it to get_expiry_age/date if you call these functions outside of a short request - response cycle (the intended use case).
* Fixed #19200 -- Session expiry with cached_dbAymeric Augustin2012-10-271-3/+7
| | | | Also did a little bit of cleanup.
* Replaced many smart_bytes by force_bytesClaude Paroz2012-08-291-2/+2
| | | | | | In all those occurrences, we didn't care about preserving the lazy status of the strings, but we really wanted to obtain a real bytestring.
* [py3] Fixed test_client_regress testsClaude Paroz2012-08-151-1/+1
|
* [py3] Avoided the deprecated base64 interface.Aymeric Augustin2012-08-141-2/+2
| | | | This fixes a deprecation warning under Python 3.
* [py3] Fix encoding issues in contrib.sessionsClaude Paroz2012-08-121-4/+7
|
* [py3] Switched to Python 3-compatible imports.Aymeric Augustin2012-07-221-1/+1
| | | | | xrange/range will be dealt with in a separate commit due to the huge number of changes.
* Cleanup to use get_random_string consistently.Paul McMillan2012-02-231-21/+8
| | | | | | | | Removes several ad hoc implementations of get_random_string() and removes an innapropriate use of settings.SECRET_KEY. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17580 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #11555 -- Made SessionBase.session_key read-only. ↵Aymeric Augustin2011-11-271-16/+14
| | | | | | | | | | Cleaned up code slightly. Refs #13478. This also removes the implicit initialization of the session key on the first access in favor of explicit initialization. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Upgraded django.contrib.sessions to be compatible with ↵Aymeric Augustin2011-11-201-3/+4
| | | | | | time zone support. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17121 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Replaced `has_key()` calls with `in` to ease Python 3 ↵Jannis Leidel2011-09-091-1/+1
| | | | | | port. Thanks, Martin von Löwis. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16740 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #16225 -- Removed unused imports. Many thanks to ↵Jannis Leidel2011-07-131-1/+0
| | | | | | Aymeric Augustin for the work on the patch and Alex for reviewing. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16539 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Removed Django 1.2 compatibility fallback for session ↵Luke Plant2011-03-301-18/+3
| | | | | | data integrity check hash. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15954 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Removed a bunch of Python 2.4 workarounds now that we ↵Adrian Holovaty2011-03-281-3/+3
| | | | | | don't support it. Refs #15702 -- thanks to jonash for the patch. Splitting this over muliple commits to make it more manageable. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15926 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #14445 - Use HMAC and constant-time comparison ↵Luke Plant2010-10-141-9/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | functions where needed. All adhoc MAC applications have been updated to use HMAC, using SHA1 to generate unique keys for each application based on the SECRET_KEY, which is common practice for this situation. In all cases, backwards compatibility with existing hashes has been maintained, aiming to phase this out as per the normal deprecation process. In this way, under most normal circumstances the old hashes will have expired (e.g. by session expiration etc.) before they become invalid. In the case of the messages framework and the cookie backend, which was already using HMAC, there is the possibility of a backwards incompatibility if the SECRET_KEY is shorter than the default 50 bytes, but the low likelihood and low impact meant compatibility code was not worth it. All known instances where tokens/hashes were compared using simple string equality, which could potentially open timing based attacks, have also been fixed using a constant-time comparison function. There are no known practical attacks against the existing implementations, so these security improvements will not be backported. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* When logging in, change the session key whilst ↵Malcolm Tredinnick2008-08-211-0/+10
| | | | | | | | | | | | | preserving any existing sesssion. This means the user will see their session preserved across a login boundary, but somebody snooping the anonymous session key won't be able to view the authenticated session data. This is the final piece of the session key handling changes. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8459 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Made a few small tweaks to reduce persistent storage ↵Malcolm Tredinnick2008-08-151-1/+5
| | | | | | | | | accesses in the session backend. Refs #8311, although doesn't fix the problem there. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8381 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #8314 -- Fixed an infinite loop caused when ↵Malcolm Tredinnick2008-08-141-3/+6
| | | | | | | | | | | | submitting a session key (via a cookie) with no corresponding entry in the database. This only affected the database backend, but I've applied the same fix to all three backends for robustness. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8351 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #8310 -- Actually use the SystemRandom RNG, if ↵Malcolm Tredinnick2008-08-141-3/+3
| | | | | | | | | | available, which fixes an oversight from [8340]. The previous code worked, but this is what I really intended. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8346 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Implemented a flush() method on sessions that cleans out ↵Malcolm Tredinnick2008-08-141-2/+12
| | | | | | | | | | | | the session and regenerates the key. Used to ensure the caller gets a fresh session at logout, for example. Based on a patch from mrts. Refs #7515. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8342 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Added a clear() method to sessions. Patch from mrts. ↵Malcolm Tredinnick2008-08-141-0/+4
| | | | | | Refs #7515. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8341 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Added guaranteed atomic creation of new session objects. ↵Malcolm Tredinnick2008-08-141-4/+28
| | | | | | | | | | | | | | | Slightly backwards incompatible for custom session backends. Whilst we were in the neighbourhood, use a larger range of session key values to save a small amount of time and use the hardware-base random numbers where available (transparently falls back to pseudo-RNG otherwise). Fixed #1080 git-svn-id: http://code.djangoproject.com/svn/django/trunk@8340 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #7919 -- md5 and sha modules are deprecated since ↵Gary Wilson Jr2008-08-021-5/+5
| | | | | | Python 2.5, use hashlib module when available. Patch from Karen Tracey. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8193 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Several Django styling fixes in the `contrib.sessions` app.Gary Wilson Jr2008-06-231-5/+6
| | | | git-svn-id: http://code.djangoproject.com/svn/django/trunk@7725 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #7429 -- Modified the Session base class a little ↵Russell Keith-Magee2008-06-181-0/+19
| | | | | | more dictionary-like by adding update(), has_key(), values(), and iterator access methods. Thanks to Jeremy Dunck for the suggestion and patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@7687 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #2548: added get/set_expiry methods to session ↵Jacob Kaplan-Moss2008-06-071-0/+57
| | | | | | objects. Thanks, Amit Upadhyay and SmileyChris. git-svn-id: http://code.djangoproject.com/svn/django/trunk@7586 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #6087 -- Added setdefault() support to the Session ↵Malcolm Tredinnick2007-12-021-0/+8
| | | | | | | | | object. Thanks, Ben Slavin. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6831 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #4729 -- Restored functionality to the Session ↵Malcolm Tredinnick2007-10-201-0/+1
| | | | | | | | | | class so that popping a value marks it as modified. This was accidentally lost in the changes in [6333]. Thanks, __hawkeye__. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6558 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Removed trailing whitespace in ↵Adrian Holovaty2007-09-201-9/+7
| | | | | | django/contrib/sessions/backends/base.py git-svn-id: http://code.djangoproject.com/svn/django/trunk@6388 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #5548 -- Reintroduced Jython workaround for ↵Adrian Holovaty2007-09-201-2/+7
| | | | | | os.getpid(), which was lost in [6270]. Thanks, leosoto git-svn-id: http://code.djangoproject.com/svn/django/trunk@6386 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Refs #5513: improved session performance after [6333]'s ↵Jacob Kaplan-Moss2007-09-161-1/+1
| | | | | | session refactoring. Thanks, msaelices. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6365 bcc190cf-cafb-0310-a4f2-bffc1f526a37
* Fixed #2066: session data can now be stored in the cache ↵Jacob Kaplan-Moss2007-09-151-0/+143
or on the filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37