|
|
@ -51,6 +51,13 @@ class SessionMixin(object): |
|
|
|
#: The default mixin implementation just hardcodes `True` in. |
|
|
|
#: The default mixin implementation just hardcodes `True` in. |
|
|
|
modified = True |
|
|
|
modified = True |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#: the accessed variable indicates whether or not the session object has |
|
|
|
|
|
|
|
#: been accessed in that request. This allows flask to append a `Vary: |
|
|
|
|
|
|
|
#: Cookie` header to the response if the session is being accessed. This |
|
|
|
|
|
|
|
#: allows caching proxy servers, like Varnish, to use both the URL and the |
|
|
|
|
|
|
|
#: session cookie as keys when caching pages, preventing multiple users |
|
|
|
|
|
|
|
#: from being served the same cache. |
|
|
|
|
|
|
|
accessed = True |
|
|
|
|
|
|
|
|
|
|
|
class TaggedJSONSerializer(object): |
|
|
|
class TaggedJSONSerializer(object): |
|
|
|
"""A customized JSON serializer that supports a few extra types that |
|
|
|
"""A customized JSON serializer that supports a few extra types that |
|
|
@ -112,9 +119,18 @@ class SecureCookieSession(CallbackDict, SessionMixin): |
|
|
|
def __init__(self, initial=None): |
|
|
|
def __init__(self, initial=None): |
|
|
|
def on_update(self): |
|
|
|
def on_update(self): |
|
|
|
self.modified = True |
|
|
|
self.modified = True |
|
|
|
|
|
|
|
self.accessed = True |
|
|
|
CallbackDict.__init__(self, initial, on_update) |
|
|
|
CallbackDict.__init__(self, initial, on_update) |
|
|
|
self.modified = False |
|
|
|
self.modified = False |
|
|
|
|
|
|
|
self.accessed = False |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def __getitem__(self, key): |
|
|
|
|
|
|
|
self.accessed = True |
|
|
|
|
|
|
|
return super(SecureCookieSession, self).__getitem__(key) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def get(self, key, default=None): |
|
|
|
|
|
|
|
self.accessed = True |
|
|
|
|
|
|
|
return super(SecureCookieSession, self).get(key, default) |
|
|
|
|
|
|
|
|
|
|
|
class NullSession(SecureCookieSession): |
|
|
|
class NullSession(SecureCookieSession): |
|
|
|
"""Class used to generate nicer error messages if sessions are not |
|
|
|
"""Class used to generate nicer error messages if sessions are not |
|
|
@ -334,6 +350,12 @@ class SecureCookieSessionInterface(SessionInterface): |
|
|
|
domain = self.get_cookie_domain(app) |
|
|
|
domain = self.get_cookie_domain(app) |
|
|
|
path = self.get_cookie_path(app) |
|
|
|
path = self.get_cookie_path(app) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if session.accessed: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
response.headers.add('Vary', 'Cookie') |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
else: |
|
|
|
|
|
|
|
|
|
|
|
# Delete case. If there is no session we bail early. |
|
|
|
# Delete case. If there is no session we bail early. |
|
|
|
# If the session was modified to be empty we remove the |
|
|
|
# If the session was modified to be empty we remove the |
|
|
|
# whole cookie. |
|
|
|
# whole cookie. |
|
|
|