heckyel/mediagoblin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make session cookies more secure.

Browse Source 
1. Our session cookies only need to be available to http, so
   mark them appropiately.

2. Send the cookie to the subpath for mediagoblin.

And instantiate a session manager on the app, once.
This commit is contained in:
Elrond 2013-04-09 22:49:11 +02:00
parent 82a40cc4e1
commit b0ee3aae91
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
mediagoblin/app.py
View File

@ -73,6 +73,9 @@ class MediaGoblinApp(object):
# Setup other connections / useful objects # Setup other connections / useful objects
########################################## ##########################################
# Setup Session Manager, not needed in celery
self.session_manager = session.SessionManager()
# load all available locales # load all available locales
setup_locales() setup_locales()
@ -157,7 +160,7 @@ class MediaGoblinApp(object):
## Attach utilities to the request object ## Attach utilities to the request object
# Do we really want to load this via middleware? Maybe? # Do we really want to load this via middleware? Maybe?
session_manager = session.SessionManager() session_manager = self.session_manager
request.session = session_manager.load_session_from_cookie(request) request.session = session_manager.load_session_from_cookie(request)
# Attach self as request.app # Attach self as request.app
# Also attach a few utilities from request.app for convenience? # Also attach a few utilities from request.app for convenience?
@ -227,7 +230,8 @@ class MediaGoblinApp(object):
response = render_http_exeption( response = render_http_exeption(
request, e, e.get_description(environ)) request, e, e.get_description(environ))
session_manager.save_session_to_cookie(request.session, response) session_manager.save_session_to_cookie(request.session,
request, response)
return response(environ, start_response) return response(environ, start_response)

9
mediagoblin/tools/session.py
View File

@ -58,10 +58,13 @@ class SessionManager(object):
except itsdangerous.BadData: except itsdangerous.BadData:
return Session() return Session()
def save_session_to_cookie(self, session, response): def save_session_to_cookie(self, session, request, response):
if not session.is_updated(): if not session.is_updated():
return return
elif not session: elif not session:
response.delete_cookie(self.cookie_name) response.delete_cookie(self.cookie_name,
path=request.environ['SCRIPT_NAME'])
else: else:
response.set_cookie(self.cookie_name, self.signer.dumps(session)) response.set_cookie(self.cookie_name, self.signer.dumps(session),
path=request.environ['SCRIPT_NAME'],
httponly=True)