# (c) 2005 Ian Bicking and contributors; written for Paste (http://pythonpaste.org) # Licensed under the MIT license: http://www.opensource.org/licenses/mit-license.php """ Creates a session object in your WSGI environment. Use like: ..code-block:: Python environ['paste.session.factory']() This will return a dictionary. The contents of this dictionary will be saved to disk when the request is completed. The session will be created when you first fetch the session dictionary, and a cookie will be sent in that case. There's current no way to use sessions without cookies, and there's no way to delete a session except to clear its data. @@: This doesn't do any locking, and may cause problems when a single session is accessed concurrently. Also, it loads and saves the session for each request, with no caching. Also, sessions aren't expired. """ try: # Python 3 from http.cookies import SimpleCookie except ImportError: # Python 2 from Cookie import SimpleCookie import time import random import os import datetime import six import threading import tempfile try: import cPickle except ImportError: import pickle as cPickle try: from hashlib import md5 except ImportError: from md5 import md5 from paste import wsgilib from paste import request class SessionMiddleware(object): def __init__(self, application, global_conf=None, **factory_kw): self.application = application self.factory_kw = factory_kw def __call__(self, environ, start_response): session_factory = SessionFactory(environ, **self.factory_kw) environ['paste.session.factory'] = session_factory remember_headers = [] def session_start_response(status, headers, exc_info=None): if not session_factory.created: remember_headers[:] = [status, headers] return start_response(status, headers) headers.append(session_factory.set_cookie_header()) return start_response(status, headers, exc_info) app_iter = self.application(environ, session_start_response) def start(): if session_factory.created and remember_headers: # Tricky bastard used the session after start_response status, headers = remember_headers headers.append(session_factory.set_cookie_header()) exc = ValueError( "You cannot get the session after content from the " "app_iter has been returned") start_response(status, headers, (exc.__class__, exc, None)) def close(): if session_factory.used: session_factory.close() return wsgilib.add_start_close(app_iter, start, close) class SessionFactory(object): def __init__(self, environ, cookie_name='_SID_', session_class=None, session_expiration=60*12, # in minutes **session_class_kw): self.created = False self.used = False self.environ = environ self.cookie_name = cookie_name self.session = None self.session_class = session_class or FileSession self.session_class_kw = session_class_kw self.expiration = session_expiration def __call__(self): self.used = True if self.session is not None: return self.session.data() cookies = request.get_cookies(self.environ) session = None if self.cookie_name in cookies: self.sid = cookies[self.cookie_name].value try: session = self.session_class(self.sid, create=False, **self.session_class_kw) except KeyError: # Invalid SID pass if session is None: self.created = True self.sid = self.make_sid() session = self.session_class(self.sid, create=True, **self.session_class_kw) session.clean_up() self.session = session return session.data() def has_session(self): if self.session is not None: return True cookies = request.get_cookies(self.environ) if cookies.has_key(self.cookie_name): return True return False def make_sid(self): # @@: need better algorithm return (''.join(['%02d' % x for x in time.localtime(time.time())[:6]]) + '-' + self.unique_id()) def unique_id(self, for_object=None): """ Generates an opaque, identifier string that is practically guaranteed to be unique. If an object is passed, then its id() is incorporated into the generation. Relies on md5 and returns a 32 character long string. """ r = [time.time(), random.random()] if hasattr(os, 'times'): r.append(os.times()) if for_object is not None: r.append(id(for_object)) content = str(r) if six.PY3: content = content.encode('utf8') md5_hash = md5(content) try: return md5_hash.hexdigest() except AttributeError: # Older versions of Python didn't have hexdigest, so we'll # do it manually hexdigest = [] for char in md5_hash.digest(): hexdigest.append('%02x' % ord(char)) return ''.join(hexdigest) def set_cookie_header(self): c = SimpleCookie() c[self.cookie_name] = self.sid c[self.cookie_name]['path'] = '/' gmt_expiration_time = time.gmtime(time.time() + (self.expiration * 60)) c[self.cookie_name]['expires'] = time.strftime("%a, %d-%b-%Y %H:%M:%S GMT", gmt_expiration_time) name, value = str(c).split(': ', 1) return (name, value) def close(self): if self.session is not None: self.session.close() last_cleanup = None cleaning_up = False cleanup_cycle = datetime.timedelta(seconds=15*60) #15 min class FileSession(object): def __init__(self, sid, create=False, session_file_path=tempfile.gettempdir(), chmod=None, expiration=2880, # in minutes: 48 hours ): if chmod and isinstance(chmod, (six.binary_type, six.text_type)): chmod = int(chmod, 8) self.chmod = chmod if not sid: # Invalid... raise KeyError self.session_file_path = session_file_path self.sid = sid if not create: if not os.path.exists(self.filename()): raise KeyError self._data = None self.expiration = expiration def filename(self): return os.path.join(self.session_file_path, self.sid) def data(self): if self._data is not None: return self._data if os.path.exists(self.filename()): f = open(self.filename(), 'rb') self._data = cPickle.load(f) f.close() else: self._data = {} return self._data def close(self): if self._data is not None: filename = self.filename() exists = os.path.exists(filename) if not self._data: if exists: os.unlink(filename) else: f = open(filename, 'wb') cPickle.dump(self._data, f) f.close() if not exists and self.chmod: os.chmod(filename, self.chmod) def _clean_up(self): global cleaning_up try: exp_time = datetime.timedelta(seconds=self.expiration*60) now = datetime.datetime.now() #Open every session and check that it isn't too old for root, dirs, files in os.walk(self.session_file_path): for f in files: self._clean_up_file(f, exp_time=exp_time, now=now) finally: cleaning_up = False def _clean_up_file(self, f, exp_time, now): t = f.split("-") if len(t) != 2: return t = t[0] try: sess_time = datetime.datetime( int(t[0:4]), int(t[4:6]), int(t[6:8]), int(t[8:10]), int(t[10:12]), int(t[12:14])) except ValueError: # Probably not a session file at all return if sess_time + exp_time < now: os.remove(os.path.join(self.session_file_path, f)) def clean_up(self): global last_cleanup, cleanup_cycle, cleaning_up now = datetime.datetime.now() if cleaning_up: return if not last_cleanup or last_cleanup + cleanup_cycle < now: if not cleaning_up: cleaning_up = True try: last_cleanup = now t = threading.Thread(target=self._clean_up) t.start() except: # Normally _clean_up should set cleaning_up # to false, but if something goes wrong starting # it... cleaning_up = False raise class _NoDefault(object): def __repr__(self): return '' NoDefault = _NoDefault() def make_session_middleware( app, global_conf, session_expiration=NoDefault, expiration=NoDefault, cookie_name=NoDefault, session_file_path=NoDefault, chmod=NoDefault): """ Adds a middleware that handles sessions for your applications. The session is a peristent dictionary. To get this dictionary in your application, use ``environ['paste.session.factory']()`` which returns this persistent dictionary. Configuration: session_expiration: The time each session lives, in minutes. This controls the cookie expiration. Default 12 hours. expiration: The time each session lives on disk. Old sessions are culled from disk based on this. Default 48 hours. cookie_name: The cookie name used to track the session. Use different names to avoid session clashes. session_file_path: Sessions are put in this location, default /tmp. chmod: The octal chmod you want to apply to new sessions (e.g., 660 to make the sessions group readable/writable) Each of these also takes from the global configuration. cookie_name and chmod take from session_cookie_name and session_chmod """ if session_expiration is NoDefault: session_expiration = global_conf.get('session_expiration', 60*12) session_expiration = int(session_expiration) if expiration is NoDefault: expiration = global_conf.get('expiration', 60*48) expiration = int(expiration) if cookie_name is NoDefault: cookie_name = global_conf.get('session_cookie_name', '_SID_') if session_file_path is NoDefault: session_file_path = global_conf.get('session_file_path', '/tmp') if chmod is NoDefault: chmod = global_conf.get('session_chmod', None) return SessionMiddleware( app, session_expiration=session_expiration, expiration=expiration, cookie_name=cookie_name, session_file_path=session_file_path, chmod=chmod)