Commits

Randy Syring  committed 28ed5e9

added Session.regenerate_id()

refs #75 - Session.regenerate_id() needed to help avoid session hijacking

  • Participants
  • Parent commits 4205415

Comments (0)

Files changed (2)

File beaker/session.py

         self.clear()
         self.update(self.accessed_dict)
 
+    def regenerate_id(self):
+        """
+            creates a new session id, retains all session data
+
+            Its a good security practice to regnerate the id after a client
+            elevates priviliges.
+
+        """
+        self._create_id()
+
     # TODO: I think both these methods should be removed.  They're from
     # the original mod_python code i was ripping off but they really
     # have no use here.

File tests/test_session.py

     assert u'Deutchland' not in session
 
 
+def test_regenerate_id():
+    """Test :meth:`Session.regenerate_id`"""
+    session = get_session(user_cookies=True)
+    orig_id = session.id
+    session[u'foo'] = u'bar'
+
+    # cookie should be there
+    assert 'beaker.session.id=%s' % session.id in session.request['cookie_out']
+
+    session.regenerate_id()
+
+    assert session.id != orig_id
+    assert session[u'foo'] == u'bar'
+
+    # should be the new id
+    assert 'beaker.session.id=%s' % session.id in session.request['cookie_out']
+
+
 def test_timeout():
     """Test if the session times out properly"""
     session = get_session(timeout=2)