| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Changed _session_key attribute to a property and implemented basic
validation in the setter. The session key must be 'truthy' and
at least 8 characters long. Otherwise, the value is set to None.
|
|
|
|
|
|
|
|
| |
second argument
Changed SessionBase.pop's second argument to explicitly be default=None
rather than *args since _session is always a dict. Thanks gabor for the
report and Tim Graham for the review.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
create a new, empty session.
Previously, when logging out, the existing session was overwritten by a
new sessionid instead of deleting the session altogether.
This behavior added overhead by creating a new session record in
whichever backend was in use: db, cache, etc.
This extra session is unnecessary at the time since no session data is
meant to be preserved when explicitly logging out.
|
|
|
|
|
|
| |
in favor of import_string().
Thanks Aymeric Augustin for the suggestion and review.
|
| |
|
|
|
|
| |
Thanks joseph at vertstudios.com for the suggestion.
|
|
|
|
|
|
|
|
|
| |
by contrib.sessions
Added settings.SESSION_SERIALIZER which is the import path of a serializer
to use for sessions.
Thanks apollo13, carljm, shaib, akaariai, charettes, and dstufft for reviews.
|
|
|
|
|
|
|
|
|
|
|
|
| |
SuspiciousOperation.
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.
Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
|
| |
|
|
|
|
|
|
|
| |
* Prevented stale session files from being loaded
* Added removal of stale session files in django-admin.py clearsessions
Thanks ej for the report, crodjer and Elvard for their inputs.
|
|
|
|
|
|
|
|
|
|
|
| |
This change allows for cleaner tests: we can test the exact output.
Refs #18194: this change makes it possible to compute session expiry
dates at times other than when the session is saved.
Fixed #18458: the existence of the `modification` kwarg implies that you
must pass it to get_expiry_age/date if you call these functions outside
of a short request - response cycle (the intended use case).
|
|
|
|
| |
Also did a little bit of cleanup.
|
|
|
|
|
|
| |
In all those occurrences, we didn't care about preserving the
lazy status of the strings, but we really wanted to obtain a
real bytestring.
|
| |
|
|
|
|
| |
This fixes a deprecation warning under Python 3.
|
| |
|
|
|
|
|
| |
xrange/range will be dealt with in a separate commit due to the huge
number of changes.
|
|
|
|
|
|
|
|
| |
Removes several ad hoc implementations of get_random_string()
and removes an innapropriate use of settings.SECRET_KEY.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17580 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
|
|
|
|
| |
Cleaned up code slightly. Refs #13478.
This also removes the implicit initialization of the session key on the first access in favor of explicit initialization.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
| |
time zone support.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17121 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
| |
port. Thanks, Martin von Löwis.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16740 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
| |
Aymeric Augustin for the work on the patch and Alex for reviewing.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16539 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
| |
data integrity check hash.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15954 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
| |
don't support it. Refs #15702 -- thanks to jonash for the patch. Splitting this over muliple commits to make it more manageable.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15926 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
functions where needed.
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.
In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.
All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.
There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
preserving any existing
sesssion. This means the user will see their session preserved across a login
boundary, but somebody snooping the anonymous session key won't be able to view
the authenticated session data.
This is the final piece of the session key handling changes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8459 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
|
|
|
| |
accesses in the session
backend. Refs #8311, although doesn't fix the problem there.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8381 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
|
|
|
|
|
|
| |
submitting a session key (via
a cookie) with no corresponding entry in the database.
This only affected the database backend, but I've applied the same fix to all
three backends for robustness.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8351 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
|
|
|
|
| |
available, which fixes an
oversight from [8340]. The previous code worked, but this is what I really
intended.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8346 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
|
|
|
|
|
|
| |
the session and
regenerates the key. Used to ensure the caller gets a fresh session at logout,
for example.
Based on a patch from mrts. Refs #7515.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8342 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
| |
Refs #7515.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8341 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Slightly backwards
incompatible for custom session backends.
Whilst we were in the neighbourhood, use a larger range of session key values
to save a small amount of time and use the hardware-base random numbers where
available (transparently falls back to pseudo-RNG otherwise).
Fixed #1080
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8340 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
| |
Python 2.5, use hashlib module when available. Patch from Karen Tracey.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8193 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
| |
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7725 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
| |
more dictionary-like by adding update(), has_key(), values(), and iterator access methods. Thanks to Jeremy Dunck for the suggestion and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7687 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
| |
objects. Thanks, Amit Upadhyay and SmileyChris.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7586 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
|
|
|
| |
object. Thanks, Ben
Slavin.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6831 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
|
|
|
|
| |
class so that popping a
value marks it as modified. This was accidentally lost in the changes in
[6333]. Thanks, __hawkeye__.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6558 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
| |
django/contrib/sessions/backends/base.py
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6388 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
| |
os.getpid(), which was lost in [6270]. Thanks, leosoto
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6386 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
|
|
|
|
| |
session refactoring. Thanks, msaelices.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6365 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
or on the filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|