Geek Answers Handbook

Django Activities: Changing Session Keys When Changing

I set up a payment gateway and use sessions to store data in all page requests. The following class is used to organize and store information in a session.

class Gateway: def __init__(self, session_key=None, session_name="FOO"): # Store session ID and name self.session_key = session_key self.session_name = session_name # Get the session session = SessionStore(session_key=self.session_key) try : data = session[self.session_name] except : data = {user_id:None, checked_in:False } self.__dict__.update(data) def save(self) : session = SessionStore(session_key=self.session_key) session[self.session_name] = deepcopy(self.__dict__) try : del session['session_key'] del session['session_name'] except : pass session.save()

This view checks if the user is logged in. If he / she is redirected. If not, he will be asked to either log in or register as a guest.

 def check_in(request): gateway = Gateway(session_key=request.session.session_key) if request.user.is_authenticated(): gateway.user_id = request.user.id gateway.checked_in = True gateway.save() return redirect('next_step') else: login_form = FormLogin() if request.POST: data = request.POST.copy() if 'login' in data: login_form = FormLogin(data) if login_form.is_valid(): user = login(request, login_form) if user: gateway.user_id = user.id gateway.checked_in = True gateway.save() return redirect('next_step') elif 'guest' in data: gateway.checked_in = True gateway.save() return redirect('next_step') return render( request, 'shop/login.html', { 'login_form':login_form, } )

The following view checks the variable "checked_in". This is to ensure that users do not miss the login / registration process. (As an additional note, the "login (request, login_form)" function is a function that works fine in other contexts and returns the user if it was successful, and None otherwise)

 def next_step(request): gateway = Gateway(session_key=request.session.session_key) if not gateway.checked_in:#edited messages.info(request, _(u'You must specify login first.')) return redirect('check_in') else: #do the next step

Now for the problem:

Even when the user is authenticated, the variable "checked_in" is still false and causes a loop to be viewed. A new session with a new session identifier is created every time I set a variable and save it. There are some explanations in the django docs about modifying sessions, but I cannot understand why a new session is being created or why the session key is changing.

edit: I am using a database backend.

+3
python django cookies session-cookies session
source share
3 answers

I duplicated this error / problem:

URL RULE

 url(r'^test/', 'shop.views.catalog.test', name="test")

VIEWING FUNCTIONS

 def test(request) : key1 = request.session.session_key request.session['test'] = 'test' key2 = request.session.session_key raise Exception("%s : %s === %s" % (key1, key2, request.session['test']))
  • Delete cookies for 127.0.0.1
  • go to 127.0.0.1:8000/test/
    • Exception with / test / 4793f2453758d7021a43a348a0f40a83: 8568f729991e740395179c56cd37cf18 === test
  • refresh page (without clearing cookies)
    • Exception with / test / 8568f729991e740395179c56cd37cf18: 8568f729991e740395179c56cd37cf18 === test

so before the first change to my session, I have another session key ... unexpected behavior. I am also wondering why.

+1
source share

Django will not save the session to the database if it was not accessible or modified, so I believe that the session_key that you use to initialize the SessionStore is not actually supported by the database record.

If this is the case: when you save your SessionStore, a new session_key [1] will be automatically assigned (since the existing key does not exist in the database and we want to avoid fixing the session [2]) and save its DB, but this new session_key will not be allocated to the client, because your SessionStore is not dependent on request.session (which remains unchanged).

[1] https://github.com/django/django/blob/master/django/contrib/sessions/backends/db.py#L22

[2] https://groups.google.com/forum/?fromgroups#!topic/django-users/8b_6oTaXv7Q

A simple solution to test this hypothesis would be to set request.session ['kate'] = 'bob' before you initialize your Gateway class, as this should force request.session to be saved. You might want to reorganize your gateway class so that methods that require session access treat request.session as an argument.

+1
source share

Check the value of SESSION_COOKIE_SECURE and make sure you use HTTPS when True ..

https://github.com/lepture/flask-wtf/issues/76

0
source share

More articles:


All Articles