diff --git twisted/web/server.py twisted/web/server.py index 46c461a..e9b3c8b 100644 --- twisted/web/server.py +++ twisted/web/server.py @@ -53,6 +53,11 @@ def _addressToTuple(addr): return tuple(addr) class Request(pb.Copyable, http.Request, components.Componentized): + """ + An HTTP request. + + @ivar session: This stores a session available to HTTP and HTTPS requests. + """ implements(iweb.IRequest) site = None @@ -264,25 +269,60 @@ class Request(pb.Copyable, http.Request, components.Componentized): ### these calls remain local session = None + _secureSession = None + + def getSession(self, sessionInterface=None, forceNotSecure=False): + """ + Check if there is a session cookie, and if not, create it. + + By default, the cookie with be secure for HTTPS requests and not secure + for HTTP requests. If for some reason you need access to the insecure + cookie from a secure session you can set L{forceNotSecure} = True. + """ + # Make sure we aren't creating a secure session on a non-secure page + cookieString = '' + session = None + + secure = self.isSecure() + + if secure and forceNotSecure: + secure = False + + if not secure: + cookieString = 'TWISTED_SESSION' + session = self.session + + else: + cookieString = 'TWISTED_SECURE_SESSION' + session = self._secureSession - def getSession(self, sessionInterface = None): # Session management - if not self.session: - cookiename = string.join(['TWISTED_SESSION'] + self.sitepath, "_") + if not session: + cookiename = string.join([cookieString] + self.sitepath, "_") sessionCookie = self.getCookie(cookiename) if sessionCookie: try: - self.session = self.site.getSession(sessionCookie) + session = self.site.getSession(sessionCookie) except KeyError: pass # if it still hasn't been set, fix it up. - if not self.session: - self.session = self.site.makeSession() - self.addCookie(cookiename, self.session.uid, path='/') - self.session.touch() + if not session: + session = self.site.makeSession() + self.addCookie(cookiename, session.uid, path='/', + secure=secure) + + session.touch() + + # Save the session to the proper place + if not secure: + self.session = session + else: + self._secureSession = session + if sessionInterface: - return self.session.getComponent(sessionInterface) - return self.session + return session.getComponent(sessionInterface) + + return session def _prePathURL(self, prepath): port = self.getHost().port diff --git twisted/web/test/test_web.py twisted/web/test/test_web.py index 6306a56..a9ab6be 100644 --- twisted/web/test/test_web.py +++ twisted/web/test/test_web.py @@ -52,6 +52,7 @@ class DummyRequest: while self.go: prod.resumeProducing() + def unregisterProducer(self): self.go = 0 @@ -91,13 +92,6 @@ class DummyRequest: """ self.outgoingHeaders[name.lower()] = value - def getSession(self): - if self.session: - return self.session - assert not self.written, "Session cannot be requested after data has been written." - self.session = self.protoSession - return self.session - def render(self, resource): """ @@ -122,6 +116,7 @@ class DummyRequest: def write(self, data): self.written.append(data) + def notifyFinish(self): """ Return a L{Deferred} which is called back with C{None} when the request @@ -568,8 +563,7 @@ class RequestTests(unittest.TestCase): self.assertTrue( verifyObject(iweb.IRequest, server.Request(DummyChannel(), True))) - - def testChildLink(self): + def test_childLink(self): request = server.Request(DummyChannel(), 1) request.gotLength(0) request.requestReceived('GET', '/foo/bar', 'HTTP/1.0') @@ -579,14 +573,14 @@ class RequestTests(unittest.TestCase): request.requestReceived('GET', '/foo/bar/', 'HTTP/1.0') self.assertEqual(request.childLink('baz'), 'baz') - def testPrePathURLSimple(self): + def test_prePathURLSimple(self): request = server.Request(DummyChannel(), 1) request.gotLength(0) request.requestReceived('GET', '/foo/bar', 'HTTP/1.0') request.setHost('example.com', 80) self.assertEqual(request.prePathURL(), 'http://example.com/foo/bar') - def testPrePathURLNonDefault(self): + def test_prePathURLNonDefault(self): d = DummyChannel() d.transport.port = 81 request = server.Request(d, 1) @@ -595,7 +589,7 @@ class RequestTests(unittest.TestCase): request.requestReceived('GET', '/foo/bar', 'HTTP/1.0') self.assertEqual(request.prePathURL(), 'http://example.com:81/foo/bar') - def testPrePathURLSSLPort(self): + def test_prePathURLSSLPort(self): d = DummyChannel() d.transport.port = 443 request = server.Request(d, 1) @@ -604,7 +598,7 @@ class RequestTests(unittest.TestCase): request.requestReceived('GET', '/foo/bar', 'HTTP/1.0') self.assertEqual(request.prePathURL(), 'http://example.com:443/foo/bar') - def testPrePathURLSSLPortAndSSL(self): + def test_prePathURLSSLPortAndSSL(self): d = DummyChannel() d.transport = DummyChannel.SSL() d.transport.port = 443 @@ -614,7 +608,7 @@ class RequestTests(unittest.TestCase): request.requestReceived('GET', '/foo/bar', 'HTTP/1.0') self.assertEqual(request.prePathURL(), 'https://example.com/foo/bar') - def testPrePathURLHTTPPortAndSSL(self): + def test_prePathURLHTTPPortAndSSL(self): d = DummyChannel() d.transport = DummyChannel.SSL() d.transport.port = 80 @@ -624,7 +618,7 @@ class RequestTests(unittest.TestCase): request.requestReceived('GET', '/foo/bar', 'HTTP/1.0') self.assertEqual(request.prePathURL(), 'https://example.com:80/foo/bar') - def testPrePathURLSSLNonDefault(self): + def test_prePathURLSSLNonDefault(self): d = DummyChannel() d.transport = DummyChannel.SSL() d.transport.port = 81 @@ -634,7 +628,7 @@ class RequestTests(unittest.TestCase): request.requestReceived('GET', '/foo/bar', 'HTTP/1.0') self.assertEqual(request.prePathURL(), 'https://example.com:81/foo/bar') - def testPrePathURLSetSSLHost(self): + def test_prePathURLSetSSLHost(self): d = DummyChannel() d.transport.port = 81 request = server.Request(d, 1) @@ -643,7 +637,6 @@ class RequestTests(unittest.TestCase): request.requestReceived('GET', '/foo/bar', 'HTTP/1.0') self.assertEqual(request.prePathURL(), 'https://foo.com:81/foo/bar') - def test_prePathURLQuoting(self): """ L{Request.prePathURL} quotes special characters in the URL segments to @@ -656,7 +649,28 @@ class RequestTests(unittest.TestCase): request.requestReceived('GET', '/foo%2Fbar', 'HTTP/1.0') self.assertEqual(request.prePathURL(), 'http://example.com/foo%2Fbar') + def test_sessionDifferentFromSecureSession(self): + """ + L{Request.session} and L{Request.secure_session} should be two separate + sessions with unique ids. + """ + d = DummyChannel() + d.transport = DummyChannel.SSL() + request = server.Request(d, 1) + request.site = server.Site('/') + request.sitepath = [] + session = request.getSession(forceNotSecure=True) + secure_session = request.getSession() + + # Check that the sessions are not None + self.assertTrue(session != None) + self.assertTrue(secure_session != None) + + # Check that the sessions are different + self.assertNotEqual(session.uid, secure_session.uid) + session.expire() + secure_session.expire() class RootResource(resource.Resource): isLeaf=0