From 0820926b500a321060ef6a76ce89fd35a252f8b0 Mon Sep 17 00:00:00 2001 From: mdipierro Date: Thu, 24 Mar 2016 16:46:51 -0500 Subject: [PATCH] more secure sessions in cookies using json --- applications/examples/models/session.py | 4 +++- gluon/utils.py | 17 ++++++++--------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/applications/examples/models/session.py b/applications/examples/models/session.py index 9ead2d0f..0939ad09 100644 --- a/applications/examples/models/session.py +++ b/applications/examples/models/session.py @@ -1 +1,3 @@ -session.connect(request,response,cookie_key='yoursecret') +from gluon.utils import web2py_uuid +cookie_key = cache.ram('cookie_key',lambda: web2py_uuid(),None) +session.connect(request,response,cookie_key=cookie_key) diff --git a/gluon/utils.py b/gluon/utils.py index 9e0f6679..cbc9b6d4 100644 --- a/gluon/utils.py +++ b/gluon/utils.py @@ -23,16 +23,12 @@ import logging import socket import base64 import zlib +import json _struct_2_long_long = struct.Struct('=QQ') python_version = sys.version_info[0] -if python_version == 2: - import cPickle as pickle -else: - import pickle - import hashlib from hashlib import md5, sha1, sha224, sha256, sha384, sha512 @@ -163,13 +159,16 @@ def get_callable_argspec(fn): def pad(s, n=32, padchar=' '): - return s + (32 - len(s) % 32) * padchar - + if len(s)n: + s = s[:n] + return s def secure_dumps(data, encryption_key, hash_key=None, compression_level=None): if not hash_key: hash_key = sha1(encryption_key).hexdigest() - dump = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) + dump = json.dumps(data) if compression_level: dump = zlib.compress(dump, compression_level) key = pad(encryption_key[:32]) @@ -197,7 +196,7 @@ def secure_loads(data, encryption_key, hash_key=None, compression_level=None): data = data.rstrip(' ') if compression_level: data = zlib.decompress(data) - return pickle.loads(data) + return json.loads(data) except Exception, e: return None