| 1 |
"""Session implementation for CherryPy. |
|---|
| 2 |
|
|---|
| 3 |
You need to edit your config file to use sessions. Here's an example:: |
|---|
| 4 |
|
|---|
| 5 |
[/] |
|---|
| 6 |
tools.sessions.on = True |
|---|
| 7 |
tools.sessions.storage_type = "file" |
|---|
| 8 |
tools.sessions.storage_path = "/home/site/sessions" |
|---|
| 9 |
tools.sessions.timeout = 60 |
|---|
| 10 |
|
|---|
| 11 |
This sets the session to be stored in files in the directory /home/site/sessions, |
|---|
| 12 |
and the session timeout to 60 minutes. If you omit ``storage_type`` the sessions |
|---|
| 13 |
will be saved in RAM. ``tools.sessions.on`` is the only required line for |
|---|
| 14 |
working sessions, the rest are optional. |
|---|
| 15 |
|
|---|
| 16 |
By default, the session ID is passed in a cookie, so the client's browser must |
|---|
| 17 |
have cookies enabled for your site. |
|---|
| 18 |
|
|---|
| 19 |
To set data for the current session, use |
|---|
| 20 |
``cherrypy.session['fieldname'] = 'fieldvalue'``; |
|---|
| 21 |
to get data use ``cherrypy.session.get('fieldname')``. |
|---|
| 22 |
|
|---|
| 23 |
================ |
|---|
| 24 |
Locking sessions |
|---|
| 25 |
================ |
|---|
| 26 |
|
|---|
| 27 |
By default, the ``'locking'`` mode of sessions is ``'implicit'``, which means |
|---|
| 28 |
the session is locked early and unlocked late. If you want to control when the |
|---|
| 29 |
session data is locked and unlocked, set ``tools.sessions.locking = 'explicit'``. |
|---|
| 30 |
Then call ``cherrypy.session.acquire_lock()`` and ``cherrypy.session.release_lock()``. |
|---|
| 31 |
Regardless of which mode you use, the session is guaranteed to be unlocked when |
|---|
| 32 |
the request is complete. |
|---|
| 33 |
|
|---|
| 34 |
================= |
|---|
| 35 |
Expiring Sessions |
|---|
| 36 |
================= |
|---|
| 37 |
|
|---|
| 38 |
You can force a session to expire with :func:`cherrypy.lib.sessions.expire`. |
|---|
| 39 |
Simply call that function at the point you want the session to expire, and it |
|---|
| 40 |
will cause the session cookie to expire client-side. |
|---|
| 41 |
|
|---|
| 42 |
=========================== |
|---|
| 43 |
Session Fixation Protection |
|---|
| 44 |
=========================== |
|---|
| 45 |
|
|---|
| 46 |
If CherryPy receives, via a request cookie, a session id that it does not |
|---|
| 47 |
recognize, it will reject that id and create a new one to return in the |
|---|
| 48 |
response cookie. This `helps prevent session fixation attacks |
|---|
| 49 |
<http://en.wikipedia.org/wiki/Session_fixation#Regenerate_SID_on_each_request>`_. |
|---|
| 50 |
However, CherryPy "recognizes" a session id by looking up the saved session |
|---|
| 51 |
data for that id. Therefore, if you never save any session data, |
|---|
| 52 |
**you will get a new session id for every request**. |
|---|
| 53 |
|
|---|
| 54 |
================ |
|---|
| 55 |
Sharing Sessions |
|---|
| 56 |
================ |
|---|
| 57 |
|
|---|
| 58 |
If you run multiple instances of CherryPy (for example via mod_python behind |
|---|
| 59 |
Apache prefork), you most likely cannot use the RAM session backend, since each |
|---|
| 60 |
instance of CherryPy will have its own memory space. Use a different backend |
|---|
| 61 |
instead, and verify that all instances are pointing at the same file or db |
|---|
| 62 |
location. Alternately, you might try a load balancer which makes sessions |
|---|
| 63 |
"sticky". Google is your friend, there. |
|---|
| 64 |
|
|---|
| 65 |
================ |
|---|
| 66 |
Expiration Dates |
|---|
| 67 |
================ |
|---|
| 68 |
|
|---|
| 69 |
The response cookie will possess an expiration date to inform the client at |
|---|
| 70 |
which point to stop sending the cookie back in requests. If the server time |
|---|
| 71 |
and client time differ, expect sessions to be unreliable. **Make sure the |
|---|
| 72 |
system time of your server is accurate**. |
|---|
| 73 |
|
|---|
| 74 |
CherryPy defaults to a 60-minute session timeout, which also applies to the |
|---|
| 75 |
cookie which is sent to the client. Unfortunately, some versions of Safari |
|---|
| 76 |
("4 public beta" on Windows XP at least) appear to have a bug in their parsing |
|---|
| 77 |
of the GMT expiration date--they appear to interpret the date as one hour in |
|---|
| 78 |
the past. Sixty minutes minus one hour is pretty close to zero, so you may |
|---|
| 79 |
experience this bug as a new session id for every request, unless the requests |
|---|
| 80 |
are less than one second apart. To fix, try increasing the session.timeout. |
|---|
| 81 |
|
|---|
| 82 |
On the other extreme, some users report Firefox sending cookies after their |
|---|
| 83 |
expiration date, although this was on a system with an inaccurate system time. |
|---|
| 84 |
Maybe FF doesn't trust system time. |
|---|
| 85 |
""" |
|---|
| 86 |
|
|---|
| 87 |
import datetime |
|---|
| 88 |
import os |
|---|
| 89 |
try: |
|---|
| 90 |
import cPickle as pickle |
|---|
| 91 |
except ImportError: |
|---|
| 92 |
import pickle |
|---|
| 93 |
import random |
|---|
| 94 |
try: |
|---|
| 95 |
|
|---|
| 96 |
from hashlib import sha1 as sha |
|---|
| 97 |
except ImportError: |
|---|
| 98 |
from sha import new as sha |
|---|
| 99 |
import time |
|---|
| 100 |
import threading |
|---|
| 101 |
import types |
|---|
| 102 |
from warnings import warn |
|---|
| 103 |
|
|---|
| 104 |
import cherrypy |
|---|
| 105 |
from cherrypy.lib import httputil |
|---|
| 106 |
|
|---|
| 107 |
|
|---|
| 108 |
missing = object() |
|---|
| 109 |
|
|---|
| 110 |
class Session(object): |
|---|
| 111 |
"""A CherryPy dict-like Session object (one per request).""" |
|---|
| 112 |
|
|---|
| 113 |
_id = None |
|---|
| 114 |
|
|---|
| 115 |
id_observers = None |
|---|
| 116 |
"A list of callbacks to which to pass new id's." |
|---|
| 117 |
|
|---|
| 118 |
def _get_id(self): |
|---|
| 119 |
return self._id |
|---|
| 120 |
def _set_id(self, value): |
|---|
| 121 |
self._id = value |
|---|
| 122 |
for o in self.id_observers: |
|---|
| 123 |
o(value) |
|---|
| 124 |
id = property(_get_id, _set_id, doc="The current session ID.") |
|---|
| 125 |
|
|---|
| 126 |
timeout = 60 |
|---|
| 127 |
"Number of minutes after which to delete session data." |
|---|
| 128 |
|
|---|
| 129 |
locked = False |
|---|
| 130 |
""" |
|---|
| 131 |
If True, this session instance has exclusive read/write access |
|---|
| 132 |
to session data.""" |
|---|
| 133 |
|
|---|
| 134 |
loaded = False |
|---|
| 135 |
""" |
|---|
| 136 |
If True, data has been retrieved from storage. This should happen |
|---|
| 137 |
automatically on the first attempt to access session data.""" |
|---|
| 138 |
|
|---|
| 139 |
clean_thread = None |
|---|
| 140 |
"Class-level Monitor which calls self.clean_up." |
|---|
| 141 |
|
|---|
| 142 |
clean_freq = 5 |
|---|
| 143 |
"The poll rate for expired session cleanup in minutes." |
|---|
| 144 |
|
|---|
| 145 |
originalid = None |
|---|
| 146 |
"The session id passed by the client. May be missing or unsafe." |
|---|
| 147 |
|
|---|
| 148 |
missing = False |
|---|
| 149 |
"True if the session requested by the client did not exist." |
|---|
| 150 |
|
|---|
| 151 |
regenerated = False |
|---|
| 152 |
""" |
|---|
| 153 |
True if the application called session.regenerate(). This is not set by |
|---|
| 154 |
internal calls to regenerate the session id.""" |
|---|
| 155 |
|
|---|
| 156 |
debug=False |
|---|
| 157 |
|
|---|
| 158 |
def __init__(self, id=None, **kwargs): |
|---|
| 159 |
self.id_observers = [] |
|---|
| 160 |
self._data = {} |
|---|
| 161 |
|
|---|
| 162 |
for k, v in kwargs.items(): |
|---|
| 163 |
setattr(self, k, v) |
|---|
| 164 |
|
|---|
| 165 |
self.originalid = id |
|---|
| 166 |
self.missing = False |
|---|
| 167 |
if id is None: |
|---|
| 168 |
if self.debug: |
|---|
| 169 |
cherrypy.log('No id given; making a new one', 'TOOLS.SESSIONS') |
|---|
| 170 |
self._regenerate() |
|---|
| 171 |
else: |
|---|
| 172 |
self.id = id |
|---|
| 173 |
if not self._exists(): |
|---|
| 174 |
if self.debug: |
|---|
| 175 |
cherrypy.log('Expired or malicious session %r; ' |
|---|
| 176 |
'making a new one' % id, 'TOOLS.SESSIONS') |
|---|
| 177 |
|
|---|
| 178 |
|
|---|
| 179 |
self.id = None |
|---|
| 180 |
self.missing = True |
|---|
| 181 |
self._regenerate() |
|---|
| 182 |
|
|---|
| 183 |
def regenerate(self): |
|---|
| 184 |
"""Replace the current session (with a new id).""" |
|---|
| 185 |
self.regenerated = True |
|---|
| 186 |
self._regenerate() |
|---|
| 187 |
|
|---|
| 188 |
def _regenerate(self): |
|---|
| 189 |
if self.id is not None: |
|---|
| 190 |
self.delete() |
|---|
| 191 |
|
|---|
| 192 |
old_session_was_locked = self.locked |
|---|
| 193 |
if old_session_was_locked: |
|---|
| 194 |
self.release_lock() |
|---|
| 195 |
|
|---|
| 196 |
self.id = None |
|---|
| 197 |
while self.id is None: |
|---|
| 198 |
self.id = self.generate_id() |
|---|
| 199 |
|
|---|
| 200 |
if self._exists(): |
|---|
| 201 |
self.id = None |
|---|
| 202 |
|
|---|
| 203 |
if old_session_was_locked: |
|---|
| 204 |
self.acquire_lock() |
|---|
| 205 |
|
|---|
| 206 |
def clean_up(self): |
|---|
| 207 |
"""Clean up expired sessions.""" |
|---|
| 208 |
pass |
|---|
| 209 |
|
|---|
| 210 |
try: |
|---|
| 211 |
os.urandom(20) |
|---|
| 212 |
except (AttributeError, NotImplementedError): |
|---|
| 213 |
|
|---|
| 214 |
def generate_id(self): |
|---|
| 215 |
"""Return a new session id.""" |
|---|
| 216 |
return sha('%s' % random.random()).hexdigest() |
|---|
| 217 |
else: |
|---|
| 218 |
def generate_id(self): |
|---|
| 219 |
"""Return a new session id.""" |
|---|
| 220 |
return os.urandom(20).encode('hex') |
|---|
| 221 |
|
|---|
| 222 |
def save(self): |
|---|
| 223 |
"""Save session data.""" |
|---|
| 224 |
try: |
|---|
| 225 |
|
|---|
| 226 |
|
|---|
| 227 |
if self.loaded: |
|---|
| 228 |
t = datetime.timedelta(seconds = self.timeout * 60) |
|---|
| 229 |
expiration_time = datetime.datetime.now() + t |
|---|
| 230 |
if self.debug: |
|---|
| 231 |
cherrypy.log('Saving with expiry %s' % expiration_time, |
|---|
| 232 |
'TOOLS.SESSIONS') |
|---|
| 233 |
self._save(expiration_time) |
|---|
| 234 |
|
|---|
| 235 |
finally: |
|---|
| 236 |
if self.locked: |
|---|
| 237 |
|
|---|
| 238 |
self.release_lock() |
|---|
| 239 |
|
|---|
| 240 |
def load(self): |
|---|
| 241 |
"""Copy stored session data into this session instance.""" |
|---|
| 242 |
data = self._load() |
|---|
| 243 |
|
|---|
| 244 |
if data is None or data[1] < datetime.datetime.now(): |
|---|
| 245 |
if self.debug: |
|---|
| 246 |
cherrypy.log('Expired session, flushing data', 'TOOLS.SESSIONS') |
|---|
| 247 |
self._data = {} |
|---|
| 248 |
else: |
|---|
| 249 |
self._data = data[0] |
|---|
| 250 |
self.loaded = True |
|---|
| 251 |
|
|---|
| 252 |
|
|---|
| 253 |
|
|---|
| 254 |
cls = self.__class__ |
|---|
| 255 |
if self.clean_freq and not cls.clean_thread: |
|---|
| 256 |
|
|---|
| 257 |
|
|---|
| 258 |
t = cherrypy.process.plugins.Monitor( |
|---|
| 259 |
cherrypy.engine, self.clean_up, self.clean_freq * 60, |
|---|
| 260 |
name='Session cleanup') |
|---|
| 261 |
t.subscribe() |
|---|
| 262 |
cls.clean_thread = t |
|---|
| 263 |
t.start() |
|---|
| 264 |
|
|---|
| 265 |
def delete(self): |
|---|
| 266 |
"""Delete stored session data.""" |
|---|
| 267 |
self._delete() |
|---|
| 268 |
|
|---|
| 269 |
def __getitem__(self, key): |
|---|
| 270 |
if not self.loaded: self.load() |
|---|
| 271 |
return self._data[key] |
|---|
| 272 |
|
|---|
| 273 |
def __setitem__(self, key, value): |
|---|
| 274 |
if not self.loaded: self.load() |
|---|
| 275 |
self._data[key] = value |
|---|
| 276 |
|
|---|
| 277 |
def __delitem__(self, key): |
|---|
| 278 |
if not self.loaded: self.load() |
|---|
| 279 |
del self._data[key] |
|---|
| 280 |
|
|---|
| 281 |
def pop(self, key, default=missing): |
|---|
| 282 |
"""Remove the specified key and return the corresponding value. |
|---|
| 283 |
If key is not found, default is returned if given, |
|---|
| 284 |
otherwise KeyError is raised. |
|---|
| 285 |
""" |
|---|
| 286 |
if not self.loaded: self.load() |
|---|
| 287 |
if default is missing: |
|---|
| 288 |
return self._data.pop(key) |
|---|
| 289 |
else: |
|---|
| 290 |
return self._data.pop(key, default) |
|---|
| 291 |
|
|---|
| 292 |
def __contains__(self, key): |
|---|
| 293 |
if not self.loaded: self.load() |
|---|
| 294 |
return key in self._data |
|---|
| 295 |
|
|---|
| 296 |
def has_key(self, key): |
|---|
| 297 |
"""D.has_key(k) -> True if D has a key k, else False.""" |
|---|
| 298 |
if not self.loaded: self.load() |
|---|
| 299 |
return key in self._data |
|---|
| 300 |
|
|---|
| 301 |
def get(self, key, default=None): |
|---|
| 302 |
"""D.get(k[,d]) -> D[k] if k in D, else d. d defaults to None.""" |
|---|
| 303 |
if not self.loaded: self.load() |
|---|
| 304 |
return self._data.get(key, default) |
|---|
| 305 |
|
|---|
| 306 |
def update(self, d): |
|---|
| 307 |
"""D.update(E) -> None. Update D from E: for k in E: D[k] = E[k].""" |
|---|
| 308 |
if not self.loaded: self.load() |
|---|
| 309 |
self._data.update(d) |
|---|
| 310 |
|
|---|
| 311 |
def setdefault(self, key, default=None): |
|---|
| 312 |
"""D.setdefault(k[,d]) -> D.get(k,d), also set D[k]=d if k not in D.""" |
|---|
| 313 |
if not self.loaded: self.load() |
|---|
| 314 |
return self._data.setdefault(key, default) |
|---|
| 315 |
|
|---|
| 316 |
def clear(self): |
|---|
| 317 |
"""D.clear() -> None. Remove all items from D.""" |
|---|
| 318 |
if not self.loaded: self.load() |
|---|
| 319 |
self._data.clear() |
|---|
| 320 |
|
|---|
| 321 |
def keys(self): |
|---|
| 322 |
"""D.keys() -> list of D's keys.""" |
|---|
| 323 |
if not self.loaded: self.load() |
|---|
| 324 |
return self._data.keys() |
|---|
| 325 |
|
|---|
| 326 |
def items(self): |
|---|
| 327 |
"""D.items() -> list of D's (key, value) pairs, as 2-tuples.""" |
|---|
| 328 |
if not self.loaded: self.load() |
|---|
| 329 |
return self._data.items() |
|---|
| 330 |
|
|---|
| 331 |
def values(self): |
|---|
| 332 |
"""D.values() -> list of D's values.""" |
|---|
| 333 |
if not self.loaded: self.load() |
|---|
| 334 |
return self._data.values() |
|---|
| 335 |
|
|---|
| 336 |
|
|---|
| 337 |
class RamSession(Session): |
|---|
| 338 |
|
|---|
| 339 |
|
|---|
| 340 |
cache = {} |
|---|
| 341 |
locks = {} |
|---|
| 342 |
|
|---|
| 343 |
def clean_up(self): |
|---|
| 344 |
"""Clean up expired sessions.""" |
|---|
| 345 |
now = datetime.datetime.now() |
|---|
| 346 |
for id, (data, expiration_time) in self.cache.items(): |
|---|
| 347 |
if expiration_time <= now: |
|---|
| 348 |
try: |
|---|
| 349 |
del self.cache[id] |
|---|
| 350 |
except KeyError: |
|---|
| 351 |
pass |
|---|
| 352 |
try: |
|---|
| 353 |
del self.locks[id] |
|---|
| 354 |
except KeyError: |
|---|
| 355 |
pass |
|---|
| 356 |
|
|---|
| 357 |
def _exists(self): |
|---|
| 358 |
return self.id in self.cache |
|---|
| 359 |
|
|---|
| 360 |
def _load(self): |
|---|
| 361 |
return self.cache.get(self.id) |
|---|
| 362 |
|
|---|
| 363 |
def _save(self, expiration_time): |
|---|
| 364 |
self.cache[self.id] = (self._data, expiration_time) |
|---|
| 365 |
|
|---|
| 366 |
def _delete(self): |
|---|
| 367 |
self.cache.pop(self.id, None) |
|---|
| 368 |
|
|---|
| 369 |
def acquire_lock(self): |
|---|
| 370 |
"""Acquire an exclusive lock on the currently-loaded session data.""" |
|---|
| 371 |
self.locked = True |
|---|
| 372 |
self.locks.setdefault(self.id, threading.RLock()).acquire() |
|---|
| 373 |
|
|---|
| 374 |
def release_lock(self): |
|---|
| 375 |
"""Release the lock on the currently-loaded session data.""" |
|---|
| 376 |
self.locks[self.id].release() |
|---|
| 377 |
self.locked = False |
|---|
| 378 |
|
|---|
| 379 |
def __len__(self): |
|---|
| 380 |
"""Return the number of active sessions.""" |
|---|
| 381 |
return len(self.cache) |
|---|
| 382 |
|
|---|
| 383 |
|
|---|
| 384 |
class FileSession(Session): |
|---|
| 385 |
"""Implementation of the File backend for sessions |
|---|
| 386 |
|
|---|
| 387 |
storage_path |
|---|
| 388 |
The folder where session data will be saved. Each session |
|---|
| 389 |
will be saved as pickle.dump(data, expiration_time) in its own file; |
|---|
| 390 |
the filename will be self.SESSION_PREFIX + self.id. |
|---|
| 391 |
|
|---|
| 392 |
""" |
|---|
| 393 |
|
|---|
| 394 |
SESSION_PREFIX = 'session-' |
|---|
| 395 |
LOCK_SUFFIX = '.lock' |
|---|
| 396 |
pickle_protocol = pickle.HIGHEST_PROTOCOL |
|---|
| 397 |
|
|---|
| 398 |
def __init__(self, id=None, **kwargs): |
|---|
| 399 |
|
|---|
| 400 |
kwargs['storage_path'] = os.path.abspath(kwargs['storage_path']) |
|---|
| 401 |
Session.__init__(self, id=id, **kwargs) |
|---|
| 402 |
|
|---|
| 403 |
def setup(cls, **kwargs): |
|---|
| 404 |
"""Set up the storage system for file-based sessions. |
|---|
| 405 |
|
|---|
| 406 |
This should only be called once per process; this will be done |
|---|
| 407 |
automatically when using sessions.init (as the built-in Tool does). |
|---|
| 408 |
""" |
|---|
| 409 |
|
|---|
| 410 |
kwargs['storage_path'] = os.path.abspath(kwargs['storage_path']) |
|---|
| 411 |
|
|---|
| 412 |
for k, v in kwargs.items(): |
|---|
| 413 |
setattr(cls, k, v) |
|---|
| 414 |
|
|---|
| 415 |
|
|---|
| 416 |
lockfiles = [fname for fname in os.listdir(cls.storage_path) |
|---|
| 417 |
if (fname.startswith(cls.SESSION_PREFIX) |
|---|
| 418 |
and fname.endswith(cls.LOCK_SUFFIX))] |
|---|
| 419 |
if lockfiles: |
|---|
| 420 |
plural = ('', 's')[len(lockfiles) > 1] |
|---|
| 421 |
warn("%s session lockfile%s found at startup. If you are " |
|---|
| 422 |
"only running one process, then you may need to " |
|---|
| 423 |
"manually delete the lockfiles found at %r." |
|---|
| 424 |
% (len(lockfiles), plural, cls.storage_path)) |
|---|
| 425 |
setup = classmethod(setup) |
|---|
| 426 |
|
|---|
| 427 |
def _get_file_path(self): |
|---|
| 428 |
f = os.path.join(self.storage_path, self.SESSION_PREFIX + self.id) |
|---|
| 429 |
if not os.path.abspath(f).startswith(self.storage_path): |
|---|
| 430 |
raise cherrypy.HTTPError(400, "Invalid session id in cookie.") |
|---|
| 431 |
return f |
|---|
| 432 |
|
|---|
| 433 |
def _exists(self): |
|---|
| 434 |
path = self._get_file_path() |
|---|
| 435 |
return os.path.exists(path) |
|---|
| 436 |
|
|---|
| 437 |
def _load(self, path=None): |
|---|
| 438 |
if path is None: |
|---|
| 439 |
path = self._get_file_path() |
|---|
| 440 |
try: |
|---|
| 441 |
f = open(path, "rb") |
|---|
| 442 |
try: |
|---|
| 443 |
return pickle.load(f) |
|---|
| 444 |
finally: |
|---|
| 445 |
f.close() |
|---|
| 446 |
except (IOError, EOFError): |
|---|
| 447 |
return None |
|---|
| 448 |
|
|---|
| 449 |
def _save(self, expiration_time): |
|---|
| 450 |
f = open(self._get_file_path(), "wb") |
|---|
| 451 |
try: |
|---|
| 452 |
pickle.dump((self._data, expiration_time), f, self.pickle_protocol) |
|---|
| 453 |
finally: |
|---|
| 454 |
f.close() |
|---|
| 455 |
|
|---|
| 456 |
def _delete(self): |
|---|
| 457 |
try: |
|---|
| 458 |
os.unlink(self._get_file_path()) |
|---|
| 459 |
except OSError: |
|---|
| 460 |
pass |
|---|
| 461 |
|
|---|
| 462 |
def acquire_lock(self, path=None): |
|---|
| 463 |
"""Acquire an exclusive lock on the currently-loaded session data.""" |
|---|
| 464 |
if path is None: |
|---|
| 465 |
path = self._get_file_path() |
|---|
| 466 |
path += self.LOCK_SUFFIX |
|---|
| 467 |
while True: |
|---|
| 468 |
try: |
|---|
| 469 |
lockfd = os.open(path, os.O_CREAT|os.O_WRONLY|os.O_EXCL) |
|---|
| 470 |
except OSError: |
|---|
| 471 |
time.sleep(0.1) |
|---|
| 472 |
else: |
|---|
| 473 |
os.close(lockfd) |
|---|
| 474 |
break |
|---|
| 475 |
self.locked = True |
|---|
| 476 |
|
|---|
| 477 |
def release_lock(self, path=None): |
|---|
| 478 |
"""Release the lock on the currently-loaded session data.""" |
|---|
| 479 |
if path is None: |
|---|
| 480 |
path = self._get_file_path() |
|---|
| 481 |
os.unlink(path + self.LOCK_SUFFIX) |
|---|
| 482 |
self.locked = False |
|---|
| 483 |
|
|---|
| 484 |
def clean_up(self): |
|---|
| 485 |
"""Clean up expired sessions.""" |
|---|
| 486 |
now = datetime.datetime.now() |
|---|
| 487 |
|
|---|
| 488 |
for fname in os.listdir(self.storage_path): |
|---|
| 489 |
if (fname.startswith(self.SESSION_PREFIX) |
|---|
| 490 |
and not fname.endswith(self.LOCK_SUFFIX)): |
|---|
| 491 |
|
|---|
| 492 |
|
|---|
| 493 |
path = os.path.join(self.storage_path, fname) |
|---|
| 494 |
self.acquire_lock(path) |
|---|
| 495 |
try: |
|---|
| 496 |
contents = self._load(path) |
|---|
| 497 |
|
|---|
| 498 |
if contents is not None: |
|---|
| 499 |
data, expiration_time = contents |
|---|
| 500 |
if expiration_time < now: |
|---|
| 501 |
|
|---|
| 502 |
os.unlink(path) |
|---|
| 503 |
finally: |
|---|
| 504 |
self.release_lock(path) |
|---|
| 505 |
|
|---|
| 506 |
def __len__(self): |
|---|
| 507 |
"""Return the number of active sessions.""" |
|---|
| 508 |
return len([fname for fname in os.listdir(self.storage_path) |
|---|
| 509 |
if (fname.startswith(self.SESSION_PREFIX) |
|---|
| 510 |
and not fname.endswith(self.LOCK_SUFFIX))]) |
|---|
| 511 |
|
|---|
| 512 |
|
|---|
| 513 |
class PostgresqlSession(Session): |
|---|
| 514 |
""" Implementation of the PostgreSQL backend for sessions. It assumes |
|---|
| 515 |
a table like this:: |
|---|
| 516 |
|
|---|
| 517 |
create table session ( |
|---|
| 518 |
id varchar(40), |
|---|
| 519 |
data text, |
|---|
| 520 |
expiration_time timestamp |
|---|
| 521 |
) |
|---|
| 522 |
|
|---|
| 523 |
You must provide your own get_db function. |
|---|
| 524 |
""" |
|---|
| 525 |
|
|---|
| 526 |
pickle_protocol = pickle.HIGHEST_PROTOCOL |
|---|
| 527 |
|
|---|
| 528 |
def __init__(self, id=None, **kwargs): |
|---|
| 529 |
Session.__init__(self, id, **kwargs) |
|---|
| 530 |
self.cursor = self.db.cursor() |
|---|
| 531 |
|
|---|
| 532 |
def setup(cls, **kwargs): |
|---|
| 533 |
"""Set up the storage system for Postgres-based sessions. |
|---|
| 534 |
|
|---|
| 535 |
This should only be called once per process; this will be done |
|---|
| 536 |
automatically when using sessions.init (as the built-in Tool does). |
|---|
| 537 |
""" |
|---|
| 538 |
for k, v in kwargs.items(): |
|---|
| 539 |
setattr(cls, k, v) |
|---|
| 540 |
|
|---|
| 541 |
self.db = self.get_db() |
|---|
| 542 |
setup = classmethod(setup) |
|---|
| 543 |
|
|---|
| 544 |
def __del__(self): |
|---|
| 545 |
if self.cursor: |
|---|
| 546 |
self.cursor.close() |
|---|
| 547 |
self.db.commit() |
|---|
| 548 |
|
|---|
| 549 |
def _exists(self): |
|---|
| 550 |
|
|---|
| 551 |
self.cursor.execute('select data, expiration_time from session ' |
|---|
| 552 |
'where id=%s', (self.id,)) |
|---|
| 553 |
rows = self.cursor.fetchall() |
|---|
| 554 |
return bool(rows) |
|---|
| 555 |
|
|---|
| 556 |
def _load(self): |
|---|
| 557 |
|
|---|
| 558 |
self.cursor.execute('select data, expiration_time from session ' |
|---|
| 559 |
'where id=%s', (self.id,)) |
|---|
| 560 |
rows = self.cursor.fetchall() |
|---|
| 561 |
if not rows: |
|---|
| 562 |
return None |
|---|
| 563 |
|
|---|
| 564 |
pickled_data, expiration_time = rows[0] |
|---|
| 565 |
data = pickle.loads(pickled_data) |
|---|
| 566 |
return data, expiration_time |
|---|
| 567 |
|
|---|
| 568 |
def _save(self, expiration_time): |
|---|
| 569 |
pickled_data = pickle.dumps(self._data, self.pickle_protocol) |
|---|
| 570 |
self.cursor.execute('update session set data = %s, ' |
|---|
| 571 |
'expiration_time = %s where id = %s', |
|---|
| 572 |
(pickled_data, expiration_time, self.id)) |
|---|
| 573 |
|
|---|
| 574 |
def _delete(self): |
|---|
| 575 |
self.cursor.execute('delete from session where id=%s', (self.id,)) |
|---|
| 576 |
|
|---|
| 577 |
def acquire_lock(self): |
|---|
| 578 |
"""Acquire an exclusive lock on the currently-loaded session data.""" |
|---|
| 579 |
|
|---|
| 580 |
self.locked = True |
|---|
| 581 |
self.cursor.execute('select id from session where id=%s for update', |
|---|
| 582 |
(self.id,)) |
|---|
| 583 |
|
|---|
| 584 |
def release_lock(self): |
|---|
| 585 |
"""Release the lock on the currently-loaded session data.""" |
|---|
| 586 |
|
|---|
| 587 |
|
|---|
| 588 |
self.cursor.close() |
|---|
| 589 |
self.locked = False |
|---|
| 590 |
|
|---|
| 591 |
def clean_up(self): |
|---|
| 592 |
"""Clean up expired sessions.""" |
|---|
| 593 |
self.cursor.execute('delete from session where expiration_time < %s', |
|---|
| 594 |
(datetime.datetime.now(),)) |
|---|
| 595 |
|
|---|
| 596 |
|
|---|
| 597 |
class MemcachedSession(Session): |
|---|
| 598 |
|
|---|
| 599 |
|
|---|
| 600 |
|
|---|
| 601 |
mc_lock = threading.RLock() |
|---|
| 602 |
|
|---|
| 603 |
|
|---|
| 604 |
locks = {} |
|---|
| 605 |
|
|---|
| 606 |
servers = ['127.0.0.1:11211'] |
|---|
| 607 |
|
|---|
| 608 |
def setup(cls, **kwargs): |
|---|
| 609 |
"""Set up the storage system for memcached-based sessions. |
|---|
| 610 |
|
|---|
| 611 |
This should only be called once per process; this will be done |
|---|
| 612 |
automatically when using sessions.init (as the built-in Tool does). |
|---|
| 613 |
""" |
|---|
| 614 |
for k, v in kwargs.items(): |
|---|
| 615 |
setattr(cls, k, v) |
|---|
| 616 |
|
|---|
| 617 |
import memcache |
|---|
| 618 |
cls.cache = memcache.Client(cls.servers) |
|---|
| 619 |
setup = classmethod(setup) |
|---|
| 620 |
|
|---|
| 621 |
def _exists(self): |
|---|
| 622 |
self.mc_lock.acquire() |
|---|
| 623 |
try: |
|---|
| 624 |
return bool(self.cache.get(self.id)) |
|---|
| 625 |
finally: |
|---|
| 626 |
self.mc_lock.release() |
|---|
| 627 |
|
|---|
| 628 |
def _load(self): |
|---|
| 629 |
self.mc_lock.acquire() |
|---|
| 630 |
try: |
|---|
| 631 |
return self.cache.get(self.id) |
|---|
| 632 |
finally: |
|---|
| 633 |
self.mc_lock.release() |
|---|
| 634 |
|
|---|
| 635 |
def _save(self, expiration_time): |
|---|
| 636 |
|
|---|
| 637 |
td = int(time.mktime(expiration_time.timetuple())) |
|---|
| 638 |
self.mc_lock.acquire() |
|---|
| 639 |
try: |
|---|
| 640 |
if not self.cache.set(self.id, (self._data, expiration_time), td): |
|---|
| 641 |
raise AssertionError("Session data for id %r not set." % self.id) |
|---|
| 642 |
finally: |
|---|
| 643 |
self.mc_lock.release() |
|---|
| 644 |
|
|---|
| 645 |
def _delete(self): |
|---|
| 646 |
self.cache.delete(self.id) |
|---|
| 647 |
|
|---|
| 648 |
def acquire_lock(self): |
|---|
| 649 |
"""Acquire an exclusive lock on the currently-loaded session data.""" |
|---|
| 650 |
self.locked = True |
|---|
| 651 |
self.locks.setdefault(self.id, threading.RLock()).acquire() |
|---|
| 652 |
|
|---|
| 653 |
def release_lock(self): |
|---|
| 654 |
"""Release the lock on the currently-loaded session data.""" |
|---|
| 655 |
self.locks[self.id].release() |
|---|
| 656 |
self.locked = False |
|---|
| 657 |
|
|---|
| 658 |
def __len__(self): |
|---|
| 659 |
"""Return the number of active sessions.""" |
|---|
| 660 |
raise NotImplementedError |
|---|
| 661 |
|
|---|
| 662 |
|
|---|
| 663 |
|
|---|
| 664 |
|
|---|
| 665 |
def save(): |
|---|
| 666 |
"""Save any changed session data.""" |
|---|
| 667 |
|
|---|
| 668 |
if not hasattr(cherrypy.serving, "session"): |
|---|
| 669 |
return |
|---|
| 670 |
request = cherrypy.serving.request |
|---|
| 671 |
response = cherrypy.serving.response |
|---|
| 672 |
|
|---|
| 673 |
|
|---|
| 674 |
if hasattr(request, "_sessionsaved"): |
|---|
| 675 |
return |
|---|
| 676 |
request._sessionsaved = True |
|---|
| 677 |
|
|---|
| 678 |
if response.stream: |
|---|
| 679 |
|
|---|
| 680 |
|
|---|
| 681 |
request.hooks.attach('on_end_request', cherrypy.session.save) |
|---|
| 682 |
else: |
|---|
| 683 |
|
|---|
| 684 |
|
|---|
| 685 |
if isinstance(response.body, types.GeneratorType): |
|---|
| 686 |
response.collapse_body() |
|---|
| 687 |
cherrypy.session.save() |
|---|
| 688 |
save.failsafe = True |
|---|
| 689 |
|
|---|
| 690 |
def close(): |
|---|
| 691 |
"""Close the session object for this request.""" |
|---|
| 692 |
sess = getattr(cherrypy.serving, "session", None) |
|---|
| 693 |
if getattr(sess, "locked", False): |
|---|
| 694 |
|
|---|
| 695 |
sess.release_lock() |
|---|
| 696 |
close.failsafe = True |
|---|
| 697 |
close.priority = 90 |
|---|
| 698 |
|
|---|
| 699 |
|
|---|
| 700 |
def init(storage_type='ram', path=None, path_header=None, name='session_id', |
|---|
| 701 |
timeout=60, domain=None, secure=False, clean_freq=5, |
|---|
| 702 |
persistent=True, debug=False, **kwargs): |
|---|
| 703 |
"""Initialize session object (using cookies). |
|---|
| 704 |
|
|---|
| 705 |
storage_type |
|---|
| 706 |
One of 'ram', 'file', 'postgresql'. This will be used |
|---|
| 707 |
to look up the corresponding class in cherrypy.lib.sessions |
|---|
| 708 |
globals. For example, 'file' will use the FileSession class. |
|---|
| 709 |
|
|---|
| 710 |
path |
|---|
| 711 |
The 'path' value to stick in the response cookie metadata. |
|---|
| 712 |
|
|---|
| 713 |
path_header |
|---|
| 714 |
If 'path' is None (the default), then the response |
|---|
| 715 |
cookie 'path' will be pulled from request.headers[path_header]. |
|---|
| 716 |
|
|---|
| 717 |
name |
|---|
| 718 |
The name of the cookie. |
|---|
| 719 |
|
|---|
| 720 |
timeout |
|---|
| 721 |
The expiration timeout (in minutes) for the stored session data. |
|---|
| 722 |
If 'persistent' is True (the default), this is also the timeout |
|---|
| 723 |
for the cookie. |
|---|
| 724 |
|
|---|
| 725 |
domain |
|---|
| 726 |
The cookie domain. |
|---|
| 727 |
|
|---|
| 728 |
secure |
|---|
| 729 |
If False (the default) the cookie 'secure' value will not |
|---|
| 730 |
be set. If True, the cookie 'secure' value will be set (to 1). |
|---|
| 731 |
|
|---|
| 732 |
clean_freq (minutes) |
|---|
| 733 |
The poll rate for expired session cleanup. |
|---|
| 734 |
|
|---|
| 735 |
persistent |
|---|
| 736 |
If True (the default), the 'timeout' argument will be used |
|---|
| 737 |
to expire the cookie. If False, the cookie will not have an expiry, |
|---|
| 738 |
and the cookie will be a "session cookie" which expires when the |
|---|
| 739 |
browser is closed. |
|---|
| 740 |
|
|---|
| 741 |
Any additional kwargs will be bound to the new Session instance, |
|---|
| 742 |
and may be specific to the storage type. See the subclass of Session |
|---|
| 743 |
you're using for more information. |
|---|
| 744 |
""" |
|---|
| 745 |
|
|---|
| 746 |
request = cherrypy.serving.request |
|---|
| 747 |
|
|---|
| 748 |
|
|---|
| 749 |
if hasattr(request, "_session_init_flag"): |
|---|
| 750 |
return |
|---|
| 751 |
request._session_init_flag = True |
|---|
| 752 |
|
|---|
| 753 |
|
|---|
| 754 |
id = None |
|---|
| 755 |
if name in request.cookie: |
|---|
| 756 |
id = request.cookie[name].value |
|---|
| 757 |
if debug: |
|---|
| 758 |
cherrypy.log('ID obtained from request.cookie: %r' % id, |
|---|
| 759 |
'TOOLS.SESSIONS') |
|---|
| 760 |
|
|---|
| 761 |
|
|---|
| 762 |
storage_class = storage_type.title() + 'Session' |
|---|
| 763 |
storage_class = globals()[storage_class] |
|---|
| 764 |
if not hasattr(cherrypy, "session"): |
|---|
| 765 |
if hasattr(storage_class, "setup"): |
|---|
| 766 |
storage_class.setup(**kwargs) |
|---|
| 767 |
|
|---|
| 768 |
|
|---|
| 769 |
|
|---|
| 770 |
|
|---|
| 771 |
kwargs['timeout'] = timeout |
|---|
| 772 |
kwargs['clean_freq'] = clean_freq |
|---|
| 773 |
cherrypy.serving.session = sess = storage_class(id, **kwargs) |
|---|
| 774 |
sess.debug = debug |
|---|
| 775 |
def update_cookie(id): |
|---|
| 776 |
"""Update the cookie every time the session id changes.""" |
|---|
| 777 |
cherrypy.serving.response.cookie[name] = id |
|---|
| 778 |
sess.id_observers.append(update_cookie) |
|---|
| 779 |
|
|---|
| 780 |
|
|---|
| 781 |
if not hasattr(cherrypy, "session"): |
|---|
| 782 |
cherrypy.session = cherrypy._ThreadLocalProxy('session') |
|---|
| 783 |
|
|---|
| 784 |
if persistent: |
|---|
| 785 |
cookie_timeout = timeout |
|---|
| 786 |
else: |
|---|
| 787 |
|
|---|
| 788 |
|
|---|
| 789 |
cookie_timeout = None |
|---|
| 790 |
set_response_cookie(path=path, path_header=path_header, name=name, |
|---|
| 791 |
timeout=cookie_timeout, domain=domain, secure=secure) |
|---|
| 792 |
|
|---|
| 793 |
|
|---|
| 794 |
def set_response_cookie(path=None, path_header=None, name='session_id', |
|---|
| 795 |
timeout=60, domain=None, secure=False): |
|---|
| 796 |
"""Set a response cookie for the client. |
|---|
| 797 |
|
|---|
| 798 |
path |
|---|
| 799 |
the 'path' value to stick in the response cookie metadata. |
|---|
| 800 |
|
|---|
| 801 |
path_header |
|---|
| 802 |
if 'path' is None (the default), then the response |
|---|
| 803 |
cookie 'path' will be pulled from request.headers[path_header]. |
|---|
| 804 |
|
|---|
| 805 |
name |
|---|
| 806 |
the name of the cookie. |
|---|
| 807 |
|
|---|
| 808 |
timeout |
|---|
| 809 |
the expiration timeout for the cookie. If 0 or other boolean |
|---|
| 810 |
False, no 'expires' param will be set, and the cookie will be a |
|---|
| 811 |
"session cookie" which expires when the browser is closed. |
|---|
| 812 |
|
|---|
| 813 |
domain |
|---|
| 814 |
the cookie domain. |
|---|
| 815 |
|
|---|
| 816 |
secure |
|---|
| 817 |
if False (the default) the cookie 'secure' value will not |
|---|
| 818 |
be set. If True, the cookie 'secure' value will be set (to 1). |
|---|
| 819 |
|
|---|
| 820 |
""" |
|---|
| 821 |
|
|---|
| 822 |
cookie = cherrypy.serving.response.cookie |
|---|
| 823 |
cookie[name] = cherrypy.serving.session.id |
|---|
| 824 |
cookie[name]['path'] = (path or cherrypy.serving.request.headers.get(path_header) |
|---|
| 825 |
or '/') |
|---|
| 826 |
|
|---|
| 827 |
|
|---|
| 828 |
|
|---|
| 829 |
|
|---|
| 830 |
|
|---|
| 831 |
|
|---|
| 832 |
if timeout: |
|---|
| 833 |
e = time.time() + (timeout * 60) |
|---|
| 834 |
cookie[name]['expires'] = httputil.HTTPDate(e) |
|---|
| 835 |
if domain is not None: |
|---|
| 836 |
cookie[name]['domain'] = domain |
|---|
| 837 |
if secure: |
|---|
| 838 |
cookie[name]['secure'] = 1 |
|---|
| 839 |
|
|---|
| 840 |
|
|---|
| 841 |
def expire(): |
|---|
| 842 |
"""Expire the current session cookie.""" |
|---|
| 843 |
name = cherrypy.serving.request.config.get('tools.sessions.name', 'session_id') |
|---|
| 844 |
one_year = 60 * 60 * 24 * 365 |
|---|
| 845 |
e = time.time() - one_year |
|---|
| 846 |
cherrypy.serving.response.cookie[name]['expires'] = httputil.HTTPDate(e) |
|---|
| 847 |
|
|---|
| 848 |
|
|---|