Remove <br/> from safe string indicating that CSRF cooking is missing.
[larjonas-mediagoblin.git] / mediagoblin / tools / session.py
bloba57f69cc959206d30a321dc059a2a8e3bc1a2ddc
1 # GNU MediaGoblin -- federated, autonomous media hosting
2 # Copyright (C) 2013 MediaGoblin contributors. See AUTHORS.
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 import itsdangerous
18 import logging
20 from mediagoblin.tools import crypto
22 _log = logging.getLogger(__name__)
24 MAX_AGE = 30 * 24 * 60 * 60
26 class Session(dict):
27 def __init__(self, *args, **kwargs):
28 self.send_new_cookie = False
29 dict.__init__(self, *args, **kwargs)
31 def save(self):
32 self.send_new_cookie = True
34 def is_updated(self):
35 return self.send_new_cookie
37 def delete(self):
38 self.clear()
39 self.save()
42 class SessionManager(object):
43 def __init__(self, cookie_name='MGSession', namespace=None):
44 if namespace is None:
45 namespace = cookie_name
46 self.signer = crypto.get_timed_signer_url(namespace)
47 self.cookie_name = cookie_name
49 def load_session_from_cookie(self, request):
50 cookie = request.cookies.get(self.cookie_name)
51 if not cookie:
52 return Session()
53 ### FIXME: Future cookie-blacklisting code
54 # m = BadCookie.query.filter_by(cookie = cookie)
55 # if m:
56 # _log.warn("Bad cookie received: %s", m.reason)
57 # raise BadRequest()
58 try:
59 return Session(self.signer.loads(cookie))
60 except itsdangerous.BadData:
61 return Session()
63 def save_session_to_cookie(self, session, request, response):
64 if not session.is_updated():
65 return
66 elif not session:
67 response.delete_cookie(self.cookie_name)
68 else:
69 if session.get('stay_logged_in', False):
70 max_age = MAX_AGE
71 else:
72 max_age = None
74 response.set_cookie(self.cookie_name, self.signer.dumps(session),
75 max_age=max_age, httponly=True)