flaskapp / werkzeug / contrib /

Full commit
# -*- coding: utf-8 -*-

    This module contains some helper classes that help one to add session
    support to a python WSGI application.  For full client-side session
    storage see :mod:`~werkzeug.contrib.securecookie` which implements a
    secure, client-side session storage.

    Application Integration


        from werkzeug.contrib.sessions import SessionMiddleware, \

        app = SessionMiddleware(app, FilesystemSessionStore())

    The current session will then appear in the WSGI environment as
    `werkzeug.session`.  However it's recommended to not use the middleware
    but the stores directly in the application.  However for very simple
    scripts a middleware for sessions could be sufficient.

    This module does not implement methods or ways to check if a session is
    expired.  That should be done by a cronjob and storage specific.  For
    example to prune unused filesystem sessions one could check the modified
    time of the files.  It sessions are stored in the database the new()
    method should add an expiration timestamp for the session.

    For better flexibility it's recommended to not use the middleware but the
    store and session object directly in the application dispatching::

        session_store = FilesystemSessionStore()

        def application(environ, start_response):
            request = Request(environ)
            sid = request.cookies.get('cookie_name')
            if sid is None:
                request.session =
                request.session = session_store.get(sid)
            response = get_the_response_object(request)
            if request.session.should_save:
                response.set_cookie('cookie_name', request.session.sid)
            return response(environ, start_response)

    :copyright: (c) 2010 by the Werkzeug Team, see AUTHORS for more details.
    :license: BSD, see LICENSE for more details.
import re
import os
import sys
import tempfile
from os import path
from time import time
from random import random
    from hashlib import sha1
except ImportError:
    from sha import new as sha1
from cPickle import dump, load, HIGHEST_PROTOCOL

from werkzeug import ClosingIterator, dump_cookie, parse_cookie, CallbackDict
from werkzeug.posixemulation import rename

_sha1_re = re.compile(r'^[a-f0-9]{40}$')

def _urandom():
    if hasattr(os, 'urandom'):
        return os.urandom(30)
    return random()

def generate_key(salt=None):
    return sha1('%s%s%s' % (salt, time(), _urandom())).hexdigest()

class ModificationTrackingDict(CallbackDict):
    __slots__ = ('modified',)

    def __init__(self, *args, **kwargs):
        def on_update(self):
            self.modified = True
        self.modified = False
        CallbackDict.__init__(self, on_update=on_update)
        dict.update(self, *args, **kwargs)

    def copy(self):
        """Create a flat copy of the dict."""
        missing = object()
        result = object.__new__(self.__class__)
        for name in self.__slots__:
            val = getattr(self, name, missing)
            if val is not missing:
                setattr(result, name, val)
        return result

    def __copy__(self):
        return self.copy()

class Session(ModificationTrackingDict):
    """Subclass of a dict that keeps track of direct object changes.  Changes
    in mutable structures are not tracked, for those you have to set
    `modified` to `True` by hand.
    __slots__ = ModificationTrackingDict.__slots__ + ('sid', 'new')

    def __init__(self, data, sid, new=False):
        ModificationTrackingDict.__init__(self, data)
        self.sid = sid = new

    def __repr__(self):
        return '<%s %s%s>' % (
            self.should_save and '*' or ''

    def should_save(self):
        """True if the session should be saved.

        .. versionchanged:: 0.6
           By default the session is now only saved if the session is
           modified, not if it is new like it was before.
        return self.modified

class SessionStore(object):
    """Baseclass for all session stores.  The Werkzeug contrib module does not
    implement any useful stores besides the filesystem store, application
    developers are encouraged to create their own stores.

    :param session_class: The session class to use.  Defaults to

    def __init__(self, session_class=None):
        if session_class is None:
            session_class = Session
        self.session_class = session_class

    def is_valid_key(self, key):
        """Check if a key has the correct format."""
        return _sha1_re.match(key) is not None

    def generate_key(self, salt=None):
        """Simple function that generates a new session key."""
        return generate_key(salt)

    def new(self):
        """Generate a new session."""
        return self.session_class({}, self.generate_key(), True)

    def save(self, session):
        """Save a session."""

    def save_if_modified(self, session):
        """Save if a session class wants an update."""
        if session.should_save:

    def delete(self, session):
        """Delete a session."""

    def get(self, sid):
        """Get a session for this sid or a new session object.  This method
        has to check if the session key is valid and create a new session if
        that wasn't the case.
        return self.session_class({}, sid, True)

#: used for temporary files by the filesystem session store
_fs_transaction_suffix = '.__wz_sess'

class FilesystemSessionStore(SessionStore):
    """Simple example session store that saves sessions on the filesystem.
    This store works best on POSIX systems and Windows Vista / Windows
    Server 2008 and newer.

    .. versionchanged:: 0.6
       `renew_missing` was added.  Previously this was considered `True`,
       now the default changed to `False` and it can be explicitly

    :param path: the path to the folder used for storing the sessions.
                 If not provided the default temporary directory is used.
    :param filename_template: a string template used to give the session
                              a filename.  ``%s`` is replaced with the
                              session id.
    :param session_class: The session class to use.  Defaults to
    :param renew_missing: set to `True` if you want the store to
                          give the user a new sid if the session was
                          not yet saved.

    def __init__(self, path=None, filename_template='werkzeug_%s.sess',
                 session_class=None, renew_missing=False, mode=0644):
        SessionStore.__init__(self, session_class)
        if path is None:
            path = tempfile.gettempdir()
        self.path = path
        if isinstance(filename_template, unicode):
            filename_template = filename_template.encode(
                sys.getfilesystemencoding() or 'utf-8')
        assert not filename_template.endswith(_fs_transaction_suffix), \
            'filename templates may not end with %s' % _fs_transaction_suffix
        self.filename_template = filename_template
        self.renew_missing = renew_missing
        self.mode = mode

    def get_session_filename(self, sid):
        # out of the box, this should be a strict ASCII subset but
        # you might reconfigure the session object to have a more
        # arbitrary string.
        if isinstance(sid, unicode):
            sid = sid.encode(sys.getfilesystemencoding() or 'utf-8')
        return path.join(self.path, self.filename_template % sid)

    def save(self, session):
        fn = self.get_session_filename(session.sid)
        fd, tmp = tempfile.mkstemp(suffix=_fs_transaction_suffix,
        f = os.fdopen(fd, 'wb')
            dump(dict(session), f, HIGHEST_PROTOCOL)
            rename(tmp, fn)
            os.chmod(fn, self.mode)
        except (IOError, OSError):

    def delete(self, session):
        fn = self.get_session_filename(session.sid)
        except OSError:

    def get(self, sid):
        if not self.is_valid_key(sid):
            f = open(self.get_session_filename(sid), 'rb')
        except IOError:
            if self.renew_missing:
            data = {}
                    data = load(f)
                except Exception:
                    data = {}
        return self.session_class(data, sid, False)

    def list(self):
        """Lists all sessions in the store.

        .. versionadded:: 0.6
        before, after = self.filename_template.split('%s', 1)
        filename_re = re.compile(r'%s(.{5,})%s$' % (re.escape(before),
        result = []
        for filename in os.listdir(self.path):
            #: this is a session that is still being saved.
            if filename.endswith(_fs_transaction_suffix):
            match = filename_re.match(filename)
            if match is not None:
        return result

class SessionMiddleware(object):
    """A simple middleware that puts the session object of a store provided
    into the WSGI environ.  It automatically sets cookies and restores

    However a middleware is not the preferred solution because it won't be as
    fast as sessions managed by the application itself and will put a key into
    the WSGI environment only relevant for the application which is against
    the concept of WSGI.

    The cookie parameters are the same as for the :func:`~werkzeug.dump_cookie`
    function just prefixed with ``cookie_``.  Additionally `max_age` is
    called `cookie_age` and not `cookie_max_age` because of backwards

    def __init__(self, app, store, cookie_name='session_id',
                 cookie_age=None, cookie_expires=None, cookie_path='/',
                 cookie_domain=None, cookie_secure=None,
                 cookie_httponly=False, environ_key='werkzeug.session'): = app = store
        self.cookie_name = cookie_name
        self.cookie_age = cookie_age
        self.cookie_expires = cookie_expires
        self.cookie_path = cookie_path
        self.cookie_domain = cookie_domain
        self.cookie_secure = cookie_secure
        self.cookie_httponly = cookie_httponly
        self.environ_key = environ_key

    def __call__(self, environ, start_response):
        cookie = parse_cookie(environ.get('HTTP_COOKIE', ''))
        sid = cookie.get(self.cookie_name, None)
        if sid is None:
            session =
            session =
        environ[self.environ_key] = session

        def injecting_start_response(status, headers, exc_info=None):
            if session.should_save:
                headers.append(('Set-Cookie', dump_cookie(self.cookie_name,
                                session.sid, self.cookie_age,
                                self.cookie_expires, self.cookie_path,
                                self.cookie_domain, self.cookie_secure,
            return start_response(status, headers, exc_info)
        return ClosingIterator(, injecting_start_response),