# -*- coding: utf-8 -*- """ flaskext.session.sessions ~~~~~~~~~~~~~~~~~~~~~~~~~ Server-side Sessions and SessionInterfaces. :copyright: (c) 2014 by Shipeng Feng. :license: BSD, see LICENSE for more details. """ import time from datetime import datetime from uuid import uuid4 try: import cPickle as pickle except ImportError: import pickle from flask.sessions import SessionInterface, SessionMixin from werkzeug.datastructures import CallbackDict class ServerSideSession(CallbackDict, SessionMixin): """Baseclass for server-side based sessions.""" def __init__(self, initial=None, sid=None): def on_update(self): self.modified = True CallbackDict.__init__(self, initial, on_update) self.sid = sid self.permanent = True self.modified = False class RedisSession(ServerSideSession): pass class MemcachedSession(ServerSideSession): pass class FileSystemSession(ServerSideSession): pass class MongoDBSession(ServerSideSession): pass class NullSessionInterface(SessionInterface): """Used to open a :class:`flask.sessions.NullSession` instance. """ def open_session(self, app, request): return None class RedisSessionInterface(SessionInterface): """Uses the Redis key-value store as a session backend. :param redis: A ``redis.Redis`` instance. :param key_prefix: A prefix that is added to all Redis store keys. """ serializer = pickle session_class = RedisSession def __init__(self, url, key_prefix): from redis import Redis if url is None: self.redis = Redis() else: self.redis = Redis.from_url(url) self.key_prefix = key_prefix def _generate_sid(self): return str(uuid4()) def open_session(self, app, request): sid = request.cookies.get(app.session_cookie_name) if not sid: sid = self._generate_sid() return self.session_class(sid=sid) val = self.redis.get(self.key_prefix + sid) if val is not None: try: data = self.serializer.loads(val) return self.session_class(data, sid=sid) except: return self.session_class(sid=sid) return self.session_class(sid=sid) def save_session(self, app, session, response): domain = self.get_cookie_domain(app) path = self.get_cookie_path(app) if not session: if session.modified: self.redis.delete(self.key_prefix + session.sid) response.delete_cookie(app.session_cookie_name, domain=domain, path=path) return # Modification case. There are upsides and downsides to # emitting a set-cookie header each request. The behavior # is controlled by the :meth:`should_set_cookie` method # which performs a quick check to figure out if the cookie # should be set or not. This is controlled by the # SESSION_REFRESH_EACH_REQUEST config flag as well as # the permanent flag on the session itself. #if not self.should_set_cookie(app, session): # return httponly = self.get_cookie_httponly(app) secure = self.get_cookie_secure(app) expires = self.get_expiration_time(app, session) val = self.serializer.dumps(dict(session)) self.redis.setex(self.key_prefix + session.sid, val, int(app.permanent_session_lifetime.total_seconds())) if session.modified: response.set_cookie(app.session_cookie_name, session.sid, expires=expires, httponly=httponly, domain=domain, path=path, secure=secure) class MemcachedSessionInterface(SessionInterface): """A Session interface that uses memcached as backend. :param client: A ``memcache.Client`` instance. :param key_prefix: A prefix that is added to all Memcached store keys. """ serializer = pickle session_class = MemcachedSession def __init__(self, client, key_prefix): if client is None: client = self._get_preferred_memcache_client() if client is None: raise RuntimeError('no memcache module found') self.client = client self.key_prefix = key_prefix def _generate_sid(self): return str(uuid4()) def _get_preferred_memcache_client(self): servers = ['127.0.0.1:11211'] try: import pylibmc except ImportError: pass else: return pylibmc.Client(servers) try: import memcache except ImportError: pass else: return memcache.Client(servers) def _get_memcache_timeout(self, timeout): """ Memcached deals with long (> 30 days) timeouts in a special way. Call this function to obtain a safe value for your timeout. """ if timeout > 2592000: # 60*60*24*30, 30 days # See http://code.google.com/p/memcached/wiki/FAQ # "You can set expire times up to 30 days in the future. After that # memcached interprets it as a date, and will expire the item after # said date. This is a simple (but obscure) mechanic." # # This means that we have to switch to absolute timestamps. timeout += int(time.time()) return timeout def open_session(self, app, request): sid = request.cookies.get(app.session_cookie_name) if not sid: sid = self._generate_sid() return self.session_class(sid=sid) full_session_key = self.key_prefix + sid if isinstance(full_session_key, unicode): full_session_key = full_session_key.encode('utf-8') val = self.client.get(full_session_key) if val is not None: try: data = self.serializer.loads(val) return self.session_class(data, sid=sid) except: return self.session_class(sid=sid) return self.session_class(sid=sid) def save_session(self, app, session, response): domain = self.get_cookie_domain(app) path = self.get_cookie_path(app) full_session_key = self.key_prefix + session.sid if isinstance(full_session_key, unicode): full_session_key = full_session_key.encode('utf-8') if not session: if session.modified: self.client.delete(full_session_key) response.delete_cookie(app.session_cookie_name, domain=domain, path=path) return # Modification case. There are upsides and downsides to # emitting a set-cookie header each request. The behavior # is controlled by the :meth:`should_set_cookie` method # which performs a quick check to figure out if the cookie # should be set or not. This is controlled by the # SESSION_REFRESH_EACH_REQUEST config flag as well as # the permanent flag on the session itself. #if not self.should_set_cookie(app, session): # return httponly = self.get_cookie_httponly(app) secure = self.get_cookie_secure(app) expires = self.get_expiration_time(app, session) val = self.serializer.dumps(dict(session)) self.client.set(full_session_key, val, self._get_memcache_timeout( int(app.permanent_session_lifetime.total_seconds()))) if session.modified: response.set_cookie(app.session_cookie_name, session.sid, expires=expires, httponly=httponly, domain=domain, path=path, secure=secure) class FileSystemSessionInterface(SessionInterface): """Uses the :class:`werkzeug.contrib.cache.FileSystemCache` as a session backend. :param cache_dir: the directory where session files are stored. :param threshold: the maximum number of items the session stores before it starts deleting some. :param mode: the file mode wanted for the session files, default 0600 :param key_prefix: A prefix that is added to FileSystemCache store keys. """ session_class = FileSystemSession def __init__(self, cache_dir, threshold, mode, key_prefix): from werkzeug.contrib.cache import FileSystemCache self.cache = FileSystemCache(cache_dir, threshold=threshold, mode=mode) self.key_prefix = key_prefix def _generate_sid(self): return str(uuid4()) def open_session(self, app, request): sid = request.cookies.get(app.session_cookie_name) if not sid: sid = self._generate_sid() return self.session_class(sid=sid) data = self.cache.get(self.key_prefix + sid) if data is not None: return self.session_class(data, sid=sid) return self.session_class(sid=sid) def save_session(self, app, session, response): domain = self.get_cookie_domain(app) path = self.get_cookie_path(app) if not session: if session.modified: self.cache.delete(self.key_prefix + session.sid) response.delete_cookie(app.session_cookie_name, domain=domain, path=path) return # Modification case. There are upsides and downsides to # emitting a set-cookie header each request. The behavior # is controlled by the :meth:`should_set_cookie` method # which performs a quick check to figure out if the cookie # should be set or not. This is controlled by the # SESSION_REFRESH_EACH_REQUEST config flag as well as # the permanent flag on the session itself. #if not self.should_set_cookie(app, session): # return httponly = self.get_cookie_httponly(app) secure = self.get_cookie_secure(app) expires = self.get_expiration_time(app, session) data = dict(session) self.cache.set(self.key_prefix + session.sid, data, int(app.permanent_session_lifetime.total_seconds())) if session.modified: response.set_cookie(app.session_cookie_name, session.sid, expires=expires, httponly=httponly, domain=domain, path=path, secure=secure) class MongoDBSessionInterface(SessionInterface): """A Session interface that uses mongodb as backend. :param client: A ``pymongo.MongoClient`` instance. :param db: The database you want to use. :param collection: The collection you want to use. :param key_prefix: A prefix that is added to all MongoDB store keys. """ serializer = pickle session_class = MongoDBSession def __init__(self, client, db, collection, key_prefix): if client is None: from pymongo import MongoClient client = MongoClient() self.client = client self.store = client[db][collection] self.key_prefix = key_prefix def _generate_sid(self): return str(uuid4()) def open_session(self, app, request): sid = request.cookies.get(app.session_cookie_name) if not sid: sid = self._generate_sid() return self.session_class(sid=sid) document = self.store.find_one({'id': self.key_prefix + sid}) document = document if document and \ document.get('expiration') > datetime.utcnow() else None if document is not None: try: val = document['val'] data = self.serializer.loads(str(val)) return self.session_class(data, sid=sid) except: return self.session_class(sid=sid) return self.session_class(sid=sid) def save_session(self, app, session, response): domain = self.get_cookie_domain(app) path = self.get_cookie_path(app) store_id = self.key_prefix + session.sid if not session: if session.modified: self.store.delete({'id': store_id}) response.delete_cookie(app.session_cookie_name, domain=domain, path=path) return # Modification case. There are upsides and downsides to # emitting a set-cookie header each request. The behavior # is controlled by the :meth:`should_set_cookie` method # which performs a quick check to figure out if the cookie # should be set or not. This is controlled by the # SESSION_REFRESH_EACH_REQUEST config flag as well as # the permanent flag on the session itself. #if not self.should_set_cookie(app, session): # return httponly = self.get_cookie_httponly(app) secure = self.get_cookie_secure(app) expires = self.get_expiration_time(app, session) val = self.serializer.dumps(dict(session)) self.store.update({'id': store_id}, {'id': store_id, 'val': val, 'expiration': expires}, True) if session.modified: response.set_cookie(app.session_cookie_name, session.sid, expires=expires, httponly=httponly, domain=domain, path=path, secure=secure)