[Python-modules-commits] [django-session-security] 05/16: Check expiry before using idleFor to update the last activity
Jean-Michel Vourgère
nirgal at moszumanska.debian.org
Tue Sep 13 17:04:15 UTC 2016
This is an automated email from the git hooks/post-receive script.
nirgal pushed a commit to branch debian/sid
in repository django-session-security.
commit 52d531928fd5e84a1dceaf0bc8ca47beefc52523
Author: Clayton Daley <clayton.daley at gmail.com>
Date: Tue Aug 16 17:53:53 2016 -0500
Check expiry before using idleFor to update the last activity
The middleware updated the activity before checking the timeout.
Update checks the idleFor param and replaced the last activity value.
As a result, the idleFor parameter can preempt an arbitrarily long real
timeout.
---
session_security/middleware.py | 44 +++++++++++++++++++++---------------------
session_security/settings.py | 4 ----
2 files changed, 22 insertions(+), 26 deletions(-)
diff --git a/session_security/middleware.py b/session_security/middleware.py
index 9cfe949..93c9170 100644
--- a/session_security/middleware.py
+++ b/session_security/middleware.py
@@ -37,12 +37,17 @@ class SessionSecurityMiddleware(object):
return
now = datetime.now()
- self.update_last_activity(request, now)
+ if '_session_security' not in request.session:
+ set_last_activity(request.session, now)
+ return
delta = now - get_last_activity(request.session)
expire_seconds = self.get_expire_seconds(request)
if delta >= timedelta(seconds=expire_seconds):
logout(request)
+ elif (request.path == reverse('session_security_ping') and
+ 'idleFor' in request.GET):
+ self.update_last_activity(request, now)
elif not self.is_passive_request(request):
set_last_activity(request.session, now)
@@ -52,27 +57,22 @@ class SessionSecurityMiddleware(object):
recent activity than ``request.session['_session_security']`` and
update it in this case.
"""
- if '_session_security' not in request.session:
- set_last_activity(request.session, now)
-
last_activity = get_last_activity(request.session)
server_idle_for = (now - last_activity).seconds
- if (request.path == reverse('session_security_ping') and
- 'idleFor' in request.GET):
- # Gracefully ignore non-integer values
- try:
- client_idle_for = int(request.GET['idleFor'])
- except ValueError:
- return
-
- # Disallow negative values, causes problems with delta calculation
- if client_idle_for < 0:
- client_idle_for = 0
-
- if client_idle_for < server_idle_for:
- # Client has more recent activity than we have in the session
- last_activity = now - timedelta(seconds=client_idle_for)
-
- # Update the session
- set_last_activity(request.session, last_activity)
+ # Gracefully ignore non-integer values
+ try:
+ client_idle_for = int(request.GET['idleFor'])
+ except ValueError:
+ return
+
+ # Disallow negative values, causes problems with delta calculation
+ if client_idle_for < 0:
+ client_idle_for = 0
+
+ if client_idle_for < server_idle_for:
+ # Client has more recent activity than we have in the session
+ last_activity = now - timedelta(seconds=client_idle_for)
+
+ # Update the session
+ set_last_activity(request.session, last_activity)
diff --git a/session_security/settings.py b/session_security/settings.py
index 1a964b1..230d58e 100644
--- a/session_security/settings.py
+++ b/session_security/settings.py
@@ -23,7 +23,6 @@ sense to use this app with ``SESSION_EXPIRE_AT_BROWSER_CLOSE`` to False.
import warnings
-from django.core import urlresolvers
from django.conf import settings
__all__ = ['EXPIRE_AFTER', 'WARN_AFTER', 'PASSIVE_URLS']
@@ -33,9 +32,6 @@ EXPIRE_AFTER = getattr(settings, 'SESSION_SECURITY_EXPIRE_AFTER', 600)
WARN_AFTER = getattr(settings, 'SESSION_SECURITY_WARN_AFTER', 540)
PASSIVE_URLS = getattr(settings, 'SESSION_SECURITY_PASSIVE_URLS', [])
-PASSIVE_URLS += [
- urlresolvers.reverse('session_security_ping'),
-]
if not getattr(settings, 'SESSION_EXPIRE_AT_BROWSER_CLOSE', False):
warnings.warn('settings.SESSION_EXPIRE_AT_BROWSER_CLOSE is not True')
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/django-session-security.git
More information about the Python-modules-commits
mailing list