Implementace logged-in hint cookie middleware
This commit is contained in:
Tomas Gavenciak
parent
05455909c5
commit
71f98f19e7
2 changed files with 44 additions and 2 deletions
|
|
@ -1,7 +1,48 @@
|
||||||
|
|
||||||
from django.http import HttpResponse
|
|
||||||
from datetime import datetime, date
|
from datetime import datetime, date
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
|
from django.http import HttpResponse, HttpResponseRedirect
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
class LoggedInHintCookieMiddleware(object):
|
||||||
|
"""Middleware to securely help with 'logged-in' detection for dual HTTP/HTTPS sites.
|
||||||
|
|
||||||
|
On insecure requests: Checks for a (non-secure) cookie settings.LOGGED_IN_HINT_COOKIE_NAME
|
||||||
|
and if present, redirects to HTTPS (same adress).
|
||||||
|
Note this usually breaks non-GET (POST) requests.
|
||||||
|
|
||||||
|
On secure requests: Updates cookie settings.LOGGED_IN_HINT_COOKIE_NAME to reflect
|
||||||
|
whether an user is logged in in the current session (set/clear).
|
||||||
|
The cookie is set to expire at the same time as the sessionid cookie.
|
||||||
|
|
||||||
|
By default, LOGGED_IN_HINT_COOKIE_NAME = 'logged_in_hint'.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self):
|
||||||
|
if hasattr(settings, 'LOGGED_IN_HINT_COOKIE_NAME'):
|
||||||
|
self.cookie_name = settings.LOGGED_IN_HINT_COOKIE_NAME
|
||||||
|
else self.cookie_name = 'logged_in_hint'
|
||||||
|
|
||||||
|
def process_request(self, request):
|
||||||
|
if not request.is_secure():
|
||||||
|
if self.cookie_name in request.COOKIES:
|
||||||
|
# redirect insecure (assuming http) requests with hint cookie to https
|
||||||
|
url = HttpRequest.build_absolute_uri()
|
||||||
|
assert url[:5] == 'http:'
|
||||||
|
return HttpResponseRedirect('https:' + url[5:])
|
||||||
|
|
||||||
|
def process_response(self, request, response):
|
||||||
|
if request.is_secure():
|
||||||
|
# assuming full session info (as the conn. is secure), update hint
|
||||||
|
# cookie value is actually irrelevant, here we set 'True'
|
||||||
|
if request.user.is_authenticated():
|
||||||
|
expiry = None if request.session.get_expire_at_browser_close() else request.session.get_expiry_date()
|
||||||
|
response.set_cookie(self.cookie_name, value='True', expires=expiry, secure=False)
|
||||||
|
else:
|
||||||
|
response.delete_cookie(self.cookie_name)
|
||||||
|
|
||||||
|
|
||||||
class vzhled:
|
class vzhled:
|
||||||
|
|
||||||
def process_request(self, request):
|
def process_request(self, request):
|
||||||
|
|
|
||||||
|
|
@ -60,6 +60,7 @@ MIDDLEWARE_CLASSES = (
|
||||||
'django.contrib.sessions.middleware.SessionMiddleware',
|
'django.contrib.sessions.middleware.SessionMiddleware',
|
||||||
'django.middleware.common.CommonMiddleware',
|
'django.middleware.common.CommonMiddleware',
|
||||||
'django.middleware.csrf.CsrfViewMiddleware',
|
'django.middleware.csrf.CsrfViewMiddleware',
|
||||||
|
'mamweb.middleware.LoggedInHintCookieMiddleware',
|
||||||
'django.contrib.auth.middleware.AuthenticationMiddleware',
|
'django.contrib.auth.middleware.AuthenticationMiddleware',
|
||||||
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
|
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
|
||||||
'django.contrib.messages.middleware.MessageMiddleware',
|
'django.contrib.messages.middleware.MessageMiddleware',
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue