Ticket #3461: issue.3461.1.patch

twisted/web/server.py

@@ -53 +53 @@
         return tuple(addr)
 
 class Request(pb.Copyable, http.Request, components.Componentized):
+    """
+    An HTTP request.
+
+    @ivar session: This stores a session available to HTTP and HTTPS requests.
+    """
     implements(iweb.IRequest)
 
     site = None
@@ -264 +269 @@
     ### these calls remain local
 
     session = None
+    _secureSession = None
+
+    def getSession(self, sessionInterface=None, forceNotSecure=False):
+        """
+        Check if there is a session cookie, and if not, create it.
+
+        By default, the cookie with be secure for HTTPS requests and not secure
+        for HTTP requests. If for some reason you need access to the insecure
+        cookie from a secure session you can set L{forceNotSecure} = True.
+        """
+        # Make sure we aren't creating a secure session on a non-secure page
+        cookieString = ''
+        session = None
+
+        secure = self.isSecure()
+
+        if secure and forceNotSecure:
+            secure = False
+
+        if not secure:
+            cookieString = 'TWISTED_SESSION'
+            session = self.session
+
+        else:
+            cookieString = 'TWISTED_SECURE_SESSION'
+            session = self._secureSession
 
-    def getSession(self, sessionInterface = None):
         # Session management
-        if not self.session:
-            cookiename = string.join(['TWISTED_SESSION'] + self.sitepath, "_")
+        if not session:
+            cookiename = string.join([cookieString] + self.sitepath, "_")
             sessionCookie = self.getCookie(cookiename)
             if sessionCookie:
                 try:
-                    self.session = self.site.getSession(sessionCookie)
+                    session = self.site.getSession(sessionCookie)
                 except KeyError:
                     pass
             # if it still hasn't been set, fix it up.
-            if not self.session:
-                self.session = self.site.makeSession()
-                self.addCookie(cookiename, self.session.uid, path='/')
-        self.session.touch()
+            if not session:
+                session = self.site.makeSession()
+                self.addCookie(cookiename, session.uid, path='/',
+                               secure=secure)
+
+        session.touch()
+
+        # Save the session to the proper place
+        if not secure:
+            self.session = session
+        else:
+            self._secureSession = session
+
         if sessionInterface:
-            return self.session.getComponent(sessionInterface)
-        return self.session
+            return session.getComponent(sessionInterface)
+
+        return session
 
     def _prePathURL(self, prepath):
         port = self.getHost().port

twisted/web/test/test_web.py

@@ -52 +52 @@
         while self.go:
             prod.resumeProducing()
 
+
     def unregisterProducer(self):
         self.go = 0
 
@@ -91 +92 @@
         """
         self.outgoingHeaders[name.lower()] = value
 
-    def getSession(self):
-        if self.session:
-            return self.session
-        assert not self.written, "Session cannot be requested after data has been written."
-        self.session = self.protoSession
-        return self.session
-
 
     def render(self, resource):
         """
@@ -122 +116 @@
     def write(self, data):
         self.written.append(data)
 
+
     def notifyFinish(self):
         """
         Return a L{Deferred} which is called back with C{None} when the request
@@ -568 +563 @@
         self.assertTrue(
             verifyObject(iweb.IRequest, server.Request(DummyChannel(), True)))
 
-
-    def testChildLink(self):
+    def test_childLink(self):
         request = server.Request(DummyChannel(), 1)
         request.gotLength(0)
         request.requestReceived('GET', '/foo/bar', 'HTTP/1.0')
@@ -579 +573 @@
         request.requestReceived('GET', '/foo/bar/', 'HTTP/1.0')
         self.assertEqual(request.childLink('baz'), 'baz')
 
-    def testPrePathURLSimple(self):
+    def test_prePathURLSimple(self):
         request = server.Request(DummyChannel(), 1)
         request.gotLength(0)
         request.requestReceived('GET', '/foo/bar', 'HTTP/1.0')
         request.setHost('example.com', 80)
         self.assertEqual(request.prePathURL(), 'http://example.com/foo/bar')
 
-    def testPrePathURLNonDefault(self):
+    def test_prePathURLNonDefault(self):
         d = DummyChannel()
         d.transport.port = 81
         request = server.Request(d, 1)
@@ -595 +589 @@
         request.requestReceived('GET', '/foo/bar', 'HTTP/1.0')
         self.assertEqual(request.prePathURL(), 'http://example.com:81/foo/bar')
 
-    def testPrePathURLSSLPort(self):
+    def test_prePathURLSSLPort(self):
         d = DummyChannel()
         d.transport.port = 443
         request = server.Request(d, 1)
@@ -604 +598 @@
         request.requestReceived('GET', '/foo/bar', 'HTTP/1.0')
         self.assertEqual(request.prePathURL(), 'http://example.com:443/foo/bar')
 
-    def testPrePathURLSSLPortAndSSL(self):
+    def test_prePathURLSSLPortAndSSL(self):
         d = DummyChannel()
         d.transport = DummyChannel.SSL()
         d.transport.port = 443
@@ -614 +608 @@
         request.requestReceived('GET', '/foo/bar', 'HTTP/1.0')
         self.assertEqual(request.prePathURL(), 'https://example.com/foo/bar')
 
-    def testPrePathURLHTTPPortAndSSL(self):
+    def test_prePathURLHTTPPortAndSSL(self):
         d = DummyChannel()
         d.transport = DummyChannel.SSL()
         d.transport.port = 80
@@ -624 +618 @@
         request.requestReceived('GET', '/foo/bar', 'HTTP/1.0')
         self.assertEqual(request.prePathURL(), 'https://example.com:80/foo/bar')
 
-    def testPrePathURLSSLNonDefault(self):
+    def test_prePathURLSSLNonDefault(self):
         d = DummyChannel()
         d.transport = DummyChannel.SSL()
         d.transport.port = 81
@@ -634 +628 @@
         request.requestReceived('GET', '/foo/bar', 'HTTP/1.0')
         self.assertEqual(request.prePathURL(), 'https://example.com:81/foo/bar')
 
-    def testPrePathURLSetSSLHost(self):
+    def test_prePathURLSetSSLHost(self):
         d = DummyChannel()
         d.transport.port = 81
         request = server.Request(d, 1)
@@ -643 +637 @@
         request.requestReceived('GET', '/foo/bar', 'HTTP/1.0')
         self.assertEqual(request.prePathURL(), 'https://foo.com:81/foo/bar')
 
-
     def test_prePathURLQuoting(self):
         """
         L{Request.prePathURL} quotes special characters in the URL segments to
@@ -656 +649 @@
         request.requestReceived('GET', '/foo%2Fbar', 'HTTP/1.0')
         self.assertEqual(request.prePathURL(), 'http://example.com/foo%2Fbar')
 
+    def test_sessionDifferentFromSecureSession(self):
+        """
+        L{Request.session} and L{Request.secure_session} should be two separate
+        sessions with unique ids.
+        """
+        d = DummyChannel()
+        d.transport = DummyChannel.SSL()
+        request = server.Request(d, 1)
+        request.site = server.Site('/')
+        request.sitepath = []
+        session = request.getSession(forceNotSecure=True)
+        secure_session = request.getSession()
+
+        # Check that the sessions are not None
+        self.assertTrue(session != None)
+        self.assertTrue(secure_session != None)
+
+        # Check that the sessions are different
+        self.assertNotEqual(session.uid, secure_session.uid)
 
+        session.expire()
+        secure_session.expire()
 
 class RootResource(resource.Resource):
     isLeaf=0