/usr/lib/python3/dist-packages/session_security/middleware.py is in python3-django-session-security 2.3.1+dfsg-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 | """
SessionSecurityMiddleware is the heart of the security that this application
attemps to provide.
To install this middleware, add to your ``settings.MIDDLEWARE_CLASSES``::
'session_security.middleware.SessionSecurityMiddleware'
Make sure that it is placed **after** authentication middlewares.
"""
import time
from datetime import datetime, timedelta
from django import http
from django.contrib.auth import logout
from django.core.urlresolvers import reverse
from .utils import get_last_activity, set_last_activity
from .settings import EXPIRE_AFTER, PASSIVE_URLS
class SessionSecurityMiddleware(object):
"""
In charge of maintaining the real 'last activity' time, and log out the
user if appropriate.
"""
def is_passive_request(self, request):
return request.path in PASSIVE_URLS
def process_request(self, request):
""" Update last activity time or logout. """
if not request.user.is_authenticated():
return
now = datetime.now()
self.update_last_activity(request, now)
delta = now - get_last_activity(request.session)
if delta >= timedelta(seconds=EXPIRE_AFTER):
logout(request)
elif not self.is_passive_request(request):
set_last_activity(request.session, now)
def update_last_activity(self, request, now):
"""
If ``request.GET['idleFor']`` is set, check if it refers to a more
recent activity than ``request.session['_session_security']`` and
update it in this case.
"""
if '_session_security' not in request.session:
set_last_activity(request.session, now)
last_activity = get_last_activity(request.session)
server_idle_for = (now - last_activity).seconds
if (request.path == reverse('session_security_ping') and
'idleFor' in request.GET):
# Gracefully ignore non-integer values
try:
client_idle_for = int(request.GET['idleFor'])
except ValueError:
return
# Disallow negative values, causes problems with delta calculation
if client_idle_for < 0:
client_idle_for = 0
if client_idle_for < server_idle_for:
# Client has more recent activity than we have in the session
last_activity = now - timedelta(seconds=client_idle_for)
# Update the session
set_last_activity(request.session, last_activity)
|