| import base64 |
| import cPickle as pickle |
| |
| from django.db import models |
| from django.utils.translation import ugettext_lazy as _ |
| from django.conf import settings |
| from django.utils.hashcompat import md5_constructor |
| |
| |
| class SessionManager(models.Manager): |
| def encode(self, session_dict): |
| """ |
| Returns the given session dictionary pickled and encoded as a string. |
| """ |
| pickled = pickle.dumps(session_dict) |
| pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest() |
| return base64.encodestring(pickled + pickled_md5) |
| |
| def save(self, session_key, session_dict, expire_date): |
| s = self.model(session_key, self.encode(session_dict), expire_date) |
| if session_dict: |
| s.save() |
| else: |
| s.delete() # Clear sessions with no data. |
| return s |
| |
| |
| class Session(models.Model): |
| """ |
| Django provides full support for anonymous sessions. The session |
| framework lets you store and retrieve arbitrary data on a |
| per-site-visitor basis. It stores data on the server side and |
| abstracts the sending and receiving of cookies. Cookies contain a |
| session ID -- not the data itself. |
| |
| The Django sessions framework is entirely cookie-based. It does |
| not fall back to putting session IDs in URLs. This is an intentional |
| design decision. Not only does that behavior make URLs ugly, it makes |
| your site vulnerable to session-ID theft via the "Referer" header. |
| |
| For complete documentation on using Sessions in your code, consult |
| the sessions documentation that is shipped with Django (also available |
| on the Django website). |
| """ |
| session_key = models.CharField(_('session key'), max_length=40, |
| primary_key=True) |
| session_data = models.TextField(_('session data')) |
| expire_date = models.DateTimeField(_('expire date')) |
| objects = SessionManager() |
| |
| class Meta: |
| db_table = 'django_session' |
| verbose_name = _('session') |
| verbose_name_plural = _('sessions') |
| |
| def get_decoded(self): |
| encoded_data = base64.decodestring(self.session_data) |
| pickled, tamper_check = encoded_data[:-32], encoded_data[-32:] |
| if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check: |
| from django.core.exceptions import SuspiciousOperation |
| raise SuspiciousOperation, "User tampered with session cookie." |
| try: |
| return pickle.loads(pickled) |
| # Unpickling can cause a variety of exceptions. If something happens, |
| # just return an empty dictionary (an empty session). |
| except: |
| return {} |