From e21a93f9e7bd063bd465dca98afa598dc86fd9e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jon=C3=A1=C5=A1=20Havelka?= Date: Sat, 3 Aug 2024 11:06:00 +0200 Subject: [PATCH] =?UTF-8?q?Middleware=20=C5=99e=C5=A1=C3=ADc=C3=AD=20sessi?= =?UTF-8?q?oh=20mezi=20http=20a=20https=20se=20u=C5=BE=20fakt=20dlouho=20n?= =?UTF-8?q?epou=C5=BE=C3=ADv=C3=A1=20a=20nav=C3=ADc=20je=20toto=20t=C3=A9m?= =?UTF-8?q?a=20dnes=20d=C3=A1vno=20pas=C3=A9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- mamweb/middleware.py | 54 --------------------------------------- mamweb/settings_common.py | 3 --- 2 files changed, 57 deletions(-) delete mode 100644 mamweb/middleware.py diff --git a/mamweb/middleware.py b/mamweb/middleware.py deleted file mode 100644 index 208c6cbd..00000000 --- a/mamweb/middleware.py +++ /dev/null @@ -1,54 +0,0 @@ -from datetime import datetime, date - -from django.conf import settings -from django.http import HttpResponse, HttpResponseRedirect - - - -class LoggedInHintCookieMiddleware(object): - """Middleware to securely help with 'logged-in' detection for dual HTTP/HTTPS sites. - - On insecure requests: Checks for a (non-secure) cookie settings.LOGGED_IN_HINT_COOKIE_NAME - and if present, redirects to HTTPS (same adress). - Note this usually breaks non-GET (POST) requests. - - On secure requests: Updates cookie settings.LOGGED_IN_HINT_COOKIE_NAME to reflect - whether an user is logged in in the current session (cookie set to 'True' or cleared). - The cookie is set to expire at the same time as the sessionid cookie. - - By default, LOGGED_IN_HINT_COOKIE_NAME = 'logged_in_hint'. - """ - - def __init__(self): - if hasattr(settings, 'LOGGED_IN_HINT_COOKIE_NAME'): - self.cookie_name = settings.LOGGED_IN_HINT_COOKIE_NAME - else: self.cookie_name = 'logged_in_hint' - self.cookie_value = 'True' - - def cookie_correct(self, request): - return self.cookie_name in request.COOKIES and request.COOKIES[self.cookie_name] == self.cookie_value - - def process_request(self, request): - if not request.is_secure(): - if self.cookie_correct(request): - # redirect insecure (assuming http) requests with hint cookie to https - url = request.build_absolute_uri() - assert url[:5] == 'http:' - return HttpResponseRedirect('https:' + url[5:]) - return None - - def process_response(self, request, response): - if request.is_secure(): - # assuming full session info (as the conn. is secure) - try: - user = request.user - except AttributeError: # no user - ajax or other special request - return response - if user.is_authenticated(): - if not self.cookie_correct(request): - expiry = None if request.session.get_expire_at_browser_close() else request.session.get_expiry_date() - response.set_cookie(self.cookie_name, value=self.cookie_value, expires=expiry, secure=False) - else: - if self.cookie_name in request.COOKIES: - response.delete_cookie(self.cookie_name) - return response diff --git a/mamweb/settings_common.py b/mamweb/settings_common.py index 92124364..4bc713c8 100644 --- a/mamweb/settings_common.py +++ b/mamweb/settings_common.py @@ -68,9 +68,6 @@ MIDDLEWARE = ( 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', -# FIXME: rozbilo se při přechodu na Django 2.0, nevím, jestli -# se to dá zahodit bez náhrady -# 'mamweb.middleware.LoggedInHintCookieMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware',