Implementace logged-in hint cookie middleware

2015-10-04 01:03:24 +02:00 · 2015-10-04 01:03:24 +02:00 · 71f98f19e7
commit 71f98f19e7
parent 05455909c5
2 changed files with 44 additions and 2 deletions
--- a/mamweb/middleware.py
+++ b/mamweb/middleware.py
@ -1,7 +1,48 @@
-
-from django.http import HttpResponse
 from datetime import datetime, date

+from django.conf import settings
+from django.http import HttpResponse, HttpResponseRedirect
+
+
+
+class LoggedInHintCookieMiddleware(object):
+    """Middleware to securely help with 'logged-in' detection for dual HTTP/HTTPS sites.
+    
+    On insecure requests: Checks for a (non-secure) cookie settings.LOGGED_IN_HINT_COOKIE_NAME
+    and if present, redirects to HTTPS (same adress).
+    Note this usually breaks non-GET (POST) requests.
+
+    On secure requests: Updates cookie settings.LOGGED_IN_HINT_COOKIE_NAME to reflect
+    whether an user is logged in in the current session (set/clear).
+    The cookie is set to expire at the same time as the sessionid cookie.
+
+    By default, LOGGED_IN_HINT_COOKIE_NAME = 'logged_in_hint'.
+    """
+
+    def __init__(self):
+        if hasattr(settings, 'LOGGED_IN_HINT_COOKIE_NAME'):
+            self.cookie_name = settings.LOGGED_IN_HINT_COOKIE_NAME
+        else self.cookie_name = 'logged_in_hint'
+
+    def process_request(self, request):
+        if not request.is_secure():
+            if self.cookie_name in request.COOKIES:
+                # redirect insecure (assuming http) requests with hint cookie to https
+                url = HttpRequest.build_absolute_uri()
+                assert url[:5] == 'http:'
+                return HttpResponseRedirect('https:' + url[5:])
+
+    def process_response(self, request, response):
+        if request.is_secure():
+            # assuming full session info (as the conn. is secure), update hint
+            # cookie value is actually irrelevant, here we set 'True'
+            if request.user.is_authenticated():
+                expiry = None if request.session.get_expire_at_browser_close() else request.session.get_expiry_date()
+                response.set_cookie(self.cookie_name, value='True', expires=expiry, secure=False)
+            else:
+                response.delete_cookie(self.cookie_name)
+
+
 class vzhled:

    def process_request(self, request):
--- a/mamweb/settings_common.py
+++ b/mamweb/settings_common.py
@ -60,6 +60,7 @@ MIDDLEWARE_CLASSES = (
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
+    'mamweb.middleware.LoggedInHintCookieMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',