mirror of
				https://github.com/django/django.git
				synced 2025-10-25 22:56:12 +00:00 
			
		
		
		
	Fixed #18194 -- Expiration of file-based sessions
* Prevented stale session files from being loaded * Added removal of stale session files in django-admin.py clearsessions Thanks ej for the report, crodjer and Elvard for their inputs.
This commit is contained in:
		| @@ -1,7 +1,6 @@ | ||||
| from __future__ import unicode_literals | ||||
|  | ||||
| import base64 | ||||
| import time | ||||
| from datetime import datetime, timedelta | ||||
| try: | ||||
|     from django.utils.six.moves import cPickle as pickle | ||||
| @@ -309,3 +308,14 @@ class SessionBase(object): | ||||
|         Loads the session data and returns a dictionary. | ||||
|         """ | ||||
|         raise NotImplementedError | ||||
|  | ||||
|     @classmethod | ||||
|     def clear_expired(cls): | ||||
|         """ | ||||
|         Remove expired sessions from the session store. | ||||
|  | ||||
|         If this operation isn't possible on a given backend, it should raise | ||||
|         NotImplementedError. If it isn't necessary, because the backend has | ||||
|         a built-in expiration mechanism, it should be a no-op. | ||||
|         """ | ||||
|         raise NotImplementedError | ||||
|   | ||||
| @@ -65,3 +65,7 @@ class SessionStore(SessionBase): | ||||
|                 return | ||||
|             session_key = self.session_key | ||||
|         self._cache.delete(KEY_PREFIX + session_key) | ||||
|  | ||||
|     @classmethod | ||||
|     def clear_expired(cls): | ||||
|         pass | ||||
|   | ||||
| @@ -71,6 +71,11 @@ class SessionStore(SessionBase): | ||||
|         except Session.DoesNotExist: | ||||
|             pass | ||||
|  | ||||
|     @classmethod | ||||
|     def clear_expired(cls): | ||||
|         Session.objects.filter(expire_date__lt=timezone.now()).delete() | ||||
|         transaction.commit_unless_managed() | ||||
|  | ||||
|  | ||||
| # At bottom to avoid circular import | ||||
| from django.contrib.sessions.models import Session | ||||
|   | ||||
| @@ -1,3 +1,4 @@ | ||||
| import datetime | ||||
| import errno | ||||
| import os | ||||
| import tempfile | ||||
| @@ -5,26 +6,35 @@ import tempfile | ||||
| from django.conf import settings | ||||
| from django.contrib.sessions.backends.base import SessionBase, CreateError | ||||
| from django.core.exceptions import SuspiciousOperation, ImproperlyConfigured | ||||
|  | ||||
| from django.utils import timezone | ||||
|  | ||||
| class SessionStore(SessionBase): | ||||
|     """ | ||||
|     Implements a file based session store. | ||||
|     """ | ||||
|     def __init__(self, session_key=None): | ||||
|         self.storage_path = getattr(settings, "SESSION_FILE_PATH", None) | ||||
|         if not self.storage_path: | ||||
|             self.storage_path = tempfile.gettempdir() | ||||
|         self.storage_path = type(self)._get_storage_path() | ||||
|         self.file_prefix = settings.SESSION_COOKIE_NAME | ||||
|         super(SessionStore, self).__init__(session_key) | ||||
|  | ||||
|     @classmethod | ||||
|     def _get_storage_path(cls): | ||||
|         try: | ||||
|             return cls._storage_path | ||||
|         except AttributeError: | ||||
|             storage_path = getattr(settings, "SESSION_FILE_PATH", None) | ||||
|             if not storage_path: | ||||
|                 storage_path = tempfile.gettempdir() | ||||
|  | ||||
|             # Make sure the storage path is valid. | ||||
|         if not os.path.isdir(self.storage_path): | ||||
|             if not os.path.isdir(storage_path): | ||||
|                 raise ImproperlyConfigured( | ||||
|                     "The session storage path %r doesn't exist. Please set your" | ||||
|                     " SESSION_FILE_PATH setting to an existing directory in which" | ||||
|                 " Django can store session data." % self.storage_path) | ||||
|                     " Django can store session data." % storage_path) | ||||
|  | ||||
|         self.file_prefix = settings.SESSION_COOKIE_NAME | ||||
|         super(SessionStore, self).__init__(session_key) | ||||
|             cls._storage_path = storage_path | ||||
|             return storage_path | ||||
|  | ||||
|     VALID_KEY_CHARS = set("abcdef0123456789") | ||||
|  | ||||
| @@ -44,6 +54,18 @@ class SessionStore(SessionBase): | ||||
|  | ||||
|         return os.path.join(self.storage_path, self.file_prefix + session_key) | ||||
|  | ||||
|     def _last_modification(self): | ||||
|         """ | ||||
|         Return the modification time of the file storing the session's content. | ||||
|         """ | ||||
|         modification = os.stat(self._key_to_file()).st_mtime | ||||
|         if settings.USE_TZ: | ||||
|             modification = datetime.datetime.utcfromtimestamp(modification) | ||||
|             modification = modification.replace(tzinfo=timezone.utc) | ||||
|         else: | ||||
|             modification = datetime.datetime.fromtimestamp(modification) | ||||
|         return modification | ||||
|  | ||||
|     def load(self): | ||||
|         session_data = {} | ||||
|         try: | ||||
| @@ -56,6 +78,15 @@ class SessionStore(SessionBase): | ||||
|                     session_data = self.decode(file_data) | ||||
|                 except (EOFError, SuspiciousOperation): | ||||
|                     self.create() | ||||
|  | ||||
|                 # Remove expired sessions. | ||||
|                 expiry_age = self.get_expiry_age( | ||||
|                     modification=self._last_modification(), | ||||
|                     expiry=session_data.get('_session_expiry')) | ||||
|                 if expiry_age < 0: | ||||
|                     session_data = {} | ||||
|                     self.delete() | ||||
|                     self.create() | ||||
|         except IOError: | ||||
|             self.create() | ||||
|         return session_data | ||||
| @@ -142,3 +173,19 @@ class SessionStore(SessionBase): | ||||
|  | ||||
|     def clean(self): | ||||
|         pass | ||||
|  | ||||
|     @classmethod | ||||
|     def clear_expired(cls): | ||||
|         storage_path = getattr(settings, "SESSION_FILE_PATH", tempfile.gettempdir()) | ||||
|         file_prefix = settings.SESSION_COOKIE_NAME | ||||
|  | ||||
|         for session_file in os.listdir(storage_path): | ||||
|             if not session_file.startswith(file_prefix): | ||||
|                 continue | ||||
|             session_key = session_file[len(file_prefix):] | ||||
|             session = cls(session_key) | ||||
|             # When an expired session is loaded, its file is removed, and a | ||||
|             # new file is immediately created. Prevent this by disabling | ||||
|             # the create() method. | ||||
|             session.create = lambda: None | ||||
|             session.load() | ||||
|   | ||||
| @@ -92,3 +92,7 @@ class SessionStore(SessionBase): | ||||
|         return signing.dumps(session_cache, compress=True, | ||||
|             salt='django.contrib.sessions.backends.signed_cookies', | ||||
|             serializer=PickleSerializer) | ||||
|  | ||||
|     @classmethod | ||||
|     def clear_expired(cls): | ||||
|         pass | ||||
|   | ||||
| @@ -1,11 +1,15 @@ | ||||
| from django.conf import settings | ||||
| from django.core.management.base import NoArgsCommand | ||||
| from django.utils import timezone | ||||
| from django.utils.importlib import import_module | ||||
|  | ||||
|  | ||||
| class Command(NoArgsCommand): | ||||
|     help = "Can be run as a cronjob or directly to clean out expired sessions (only with the database backend at the moment)." | ||||
|  | ||||
|     def handle_noargs(self, **options): | ||||
|         from django.db import transaction | ||||
|         from django.contrib.sessions.models import Session | ||||
|         Session.objects.filter(expire_date__lt=timezone.now()).delete() | ||||
|         transaction.commit_unless_managed() | ||||
|         engine = import_module(settings.SESSION_ENGINE) | ||||
|         try: | ||||
|             engine.SessionStore.clear_expired() | ||||
|         except NotImplementedError: | ||||
|             self.stderr.write("Session engine '%s' doesn't support clearing " | ||||
|                               "expired sessions.\n" % settings.SESSION_ENGINE) | ||||
|   | ||||
| @@ -1,4 +1,5 @@ | ||||
| from datetime import timedelta | ||||
| import os | ||||
| import shutil | ||||
| import string | ||||
| import tempfile | ||||
| @@ -12,6 +13,7 @@ from django.contrib.sessions.backends.file import SessionStore as FileSession | ||||
| from django.contrib.sessions.backends.signed_cookies import SessionStore as CookieSession | ||||
| from django.contrib.sessions.models import Session | ||||
| from django.contrib.sessions.middleware import SessionMiddleware | ||||
| from django.core import management | ||||
| from django.core.cache import DEFAULT_CACHE_ALIAS | ||||
| from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation | ||||
| from django.http import HttpResponse | ||||
| @@ -319,6 +321,30 @@ class DatabaseSessionTests(SessionTestsMixin, TestCase): | ||||
|         del self.session._session_cache | ||||
|         self.assertEqual(self.session['y'], 2) | ||||
|  | ||||
|     @override_settings(SESSION_ENGINE="django.contrib.sessions.backends.db") | ||||
|     def test_clearsessions_command(self): | ||||
|         """ | ||||
|         Test clearsessions command for clearing expired sessions. | ||||
|         """ | ||||
|         self.assertEqual(0, Session.objects.count()) | ||||
|  | ||||
|         # One object in the future | ||||
|         self.session['foo'] = 'bar' | ||||
|         self.session.set_expiry(3600) | ||||
|         self.session.save() | ||||
|  | ||||
|         # One object in the past | ||||
|         other_session = self.backend() | ||||
|         other_session['foo'] = 'bar' | ||||
|         other_session.set_expiry(-3600) | ||||
|         other_session.save() | ||||
|  | ||||
|         # Two sessions are in the database before clearsessions... | ||||
|         self.assertEqual(2, Session.objects.count()) | ||||
|         management.call_command('clearsessions') | ||||
|         # ... and one is deleted. | ||||
|         self.assertEqual(1, Session.objects.count()) | ||||
|  | ||||
|  | ||||
| @override_settings(USE_TZ=True) | ||||
| class DatabaseSessionWithTimeZoneTests(DatabaseSessionTests): | ||||
| @@ -358,6 +384,9 @@ class FileSessionTests(SessionTestsMixin, unittest.TestCase): | ||||
|         # Do file session tests in an isolated directory, and kill it after we're done. | ||||
|         self.original_session_file_path = settings.SESSION_FILE_PATH | ||||
|         self.temp_session_store = settings.SESSION_FILE_PATH = tempfile.mkdtemp() | ||||
|         # Reset the file session backend's internal caches | ||||
|         if hasattr(self.backend, '_storage_path'): | ||||
|             del self.backend._storage_path | ||||
|         super(FileSessionTests, self).setUp() | ||||
|  | ||||
|     def tearDown(self): | ||||
| @@ -368,6 +397,7 @@ class FileSessionTests(SessionTestsMixin, unittest.TestCase): | ||||
|     @override_settings( | ||||
|         SESSION_FILE_PATH="/if/this/directory/exists/you/have/a/weird/computer") | ||||
|     def test_configuration_check(self): | ||||
|         del self.backend._storage_path | ||||
|         # Make sure the file backend checks for a good storage dir | ||||
|         self.assertRaises(ImproperlyConfigured, self.backend) | ||||
|  | ||||
| @@ -381,6 +411,37 @@ class FileSessionTests(SessionTestsMixin, unittest.TestCase): | ||||
|         self.assertRaises(SuspiciousOperation, | ||||
|                           self.backend("a/b/c").load) | ||||
|  | ||||
|     @override_settings(SESSION_ENGINE="django.contrib.sessions.backends.file") | ||||
|     def test_clearsessions_command(self): | ||||
|         """ | ||||
|         Test clearsessions command for clearing expired sessions. | ||||
|         """ | ||||
|         storage_path = self.backend._get_storage_path() | ||||
|         file_prefix = settings.SESSION_COOKIE_NAME | ||||
|  | ||||
|         def count_sessions(): | ||||
|             return len([session_file for session_file in os.listdir(storage_path) | ||||
|                                      if session_file.startswith(file_prefix)]) | ||||
|  | ||||
|         self.assertEqual(0, count_sessions()) | ||||
|  | ||||
|         # One object in the future | ||||
|         self.session['foo'] = 'bar' | ||||
|         self.session.set_expiry(3600) | ||||
|         self.session.save() | ||||
|  | ||||
|         # One object in the past | ||||
|         other_session = self.backend() | ||||
|         other_session['foo'] = 'bar' | ||||
|         other_session.set_expiry(-3600) | ||||
|         other_session.save() | ||||
|  | ||||
|         # Two sessions are in the filesystem before clearsessions... | ||||
|         self.assertEqual(2, count_sessions()) | ||||
|         management.call_command('clearsessions') | ||||
|         # ... and one is deleted. | ||||
|         self.assertEqual(1, count_sessions()) | ||||
|  | ||||
|  | ||||
| class CacheSessionTests(SessionTestsMixin, unittest.TestCase): | ||||
|  | ||||
|   | ||||
| @@ -1200,8 +1200,6 @@ clearsessions | ||||
|  | ||||
| Can be run as a cron job or directly to clean out expired sessions. | ||||
|  | ||||
| This is only supported by the database backend at the moment. | ||||
|  | ||||
| ``django.contrib.sitemaps`` | ||||
| --------------------------- | ||||
|  | ||||
|   | ||||
| @@ -272,6 +272,13 @@ You can edit it multiple times. | ||||
|       Returns either ``True`` or ``False``, depending on whether the user's | ||||
|       session cookie will expire when the user's Web browser is closed. | ||||
|  | ||||
|     .. method:: SessionBase.clear_expired | ||||
|  | ||||
|       .. versionadded:: 1.5 | ||||
|  | ||||
|       Removes expired sessions from the session store. This class method is | ||||
|       called by :djadmin:`clearsessions`. | ||||
|  | ||||
| Session object guidelines | ||||
| ------------------------- | ||||
|  | ||||
| @@ -458,22 +465,29 @@ This setting is a global default and can be overwritten at a per-session level | ||||
| by explicitly calling the :meth:`~backends.base.SessionBase.set_expiry` method | ||||
| of ``request.session`` as described above in `using sessions in views`_. | ||||
|  | ||||
| Clearing the session table | ||||
| Clearing the session store | ||||
| ========================== | ||||
|  | ||||
| If you're using the database backend, note that session data can accumulate in | ||||
| the ``django_session`` database table and Django does *not* provide automatic | ||||
| purging. Therefore, it's your job to purge expired sessions on a regular basis. | ||||
| As users create new sessions on your website, session data can accumulate in | ||||
| your session store. If you're using the database backend, the | ||||
| ``django_session`` database table will grow. If you're using the file backend, | ||||
| your temporary directory will contain an increasing number of files. | ||||
|  | ||||
| To understand this problem, consider what happens when a user uses a session. | ||||
| To understand this problem, consider what happens with the database backend. | ||||
| When a user logs in, Django adds a row to the ``django_session`` database | ||||
| table. Django updates this row each time the session data changes. If the user | ||||
| logs out manually, Django deletes the row. But if the user does *not* log out, | ||||
| the row never gets deleted. | ||||
| the row never gets deleted. A similar process happens with the file backend. | ||||
|  | ||||
| Django provides a sample clean-up script: ``django-admin.py clearsessions``. | ||||
| That script deletes any session in the session table whose ``expire_date`` is | ||||
| in the past -- but your application may have different requirements. | ||||
| Django does *not* provide automatic purging of expired sessions. Therefore, | ||||
| it's your job to purge expired sessions on a regular basis. Django provides a | ||||
| clean-up management command for this purpose: :djadmin:`clearsessions`. It's | ||||
| recommended to call this command on a regular basis, for example as a daily | ||||
| cron job. | ||||
|  | ||||
| Note that the cache backend isn't vulnerable to this problem, because caches | ||||
| automatically delete stale data. Neither is the cookie backend, because the | ||||
| session data is stored by the users' browsers. | ||||
|  | ||||
| Settings | ||||
| ======== | ||||
|   | ||||
		Reference in New Issue
	
	Block a user