123 |
123 |
124 def session_cookie(self, req): |
124 def session_cookie(self, req): |
125 """return a string giving the name of the cookie used to store the |
125 """return a string giving the name of the cookie used to store the |
126 session identifier. |
126 session identifier. |
127 """ |
127 """ |
128 if req.https: |
|
129 return '__%s_https_session' % self.vreg.config.appid |
|
130 return '__%s_session' % self.vreg.config.appid |
128 return '__%s_session' % self.vreg.config.appid |
131 |
129 |
132 def get_session(self, req): |
130 def get_session(self, req): |
133 """Return a session object corresponding to credentials held by the req |
131 """Return a session object corresponding to credentials held by the req |
134 |
132 |
156 return session |
154 return session |
157 |
155 |
158 def open_session(self, req): |
156 def open_session(self, req): |
159 session = self.session_manager.open_session(req) |
157 session = self.session_manager.open_session(req) |
160 sessioncookie = self.session_cookie(req) |
158 sessioncookie = self.session_cookie(req) |
161 secure = req.https and req.base_url().startswith('https://') |
159 secure = req.base_url().startswith('https://') |
162 req.set_cookie(sessioncookie, session.sessionid, |
160 req.set_cookie(sessioncookie, session.sessionid, |
163 maxage=None, secure=secure, httponly=True) |
161 maxage=None, secure=secure, httponly=True) |
164 if not session.anonymous_session: |
162 if not session.anonymous_session: |
165 self.session_manager.postlogin(req, session) |
163 self.session_manager.postlogin(req, session) |
166 return session |
164 return session |
332 except Redirect as ex: |
330 except Redirect as ex: |
333 # authentication needs redirection (eg openid) |
331 # authentication needs redirection (eg openid) |
334 content = self.redirect_handler(req, ex) |
332 content = self.redirect_handler(req, ex) |
335 # Wrong, absent or Reseted credential |
333 # Wrong, absent or Reseted credential |
336 except AuthenticationError: |
334 except AuthenticationError: |
337 # If there is an https url configured and |
335 # We assume here that in http auth mode the user *May* provide |
338 # the request does not use https, redirect to login form |
336 # Authentification Credential if asked kindly. |
339 https_url = self.vreg.config['https-url'] |
337 if self.vreg.config['auth-mode'] == 'http': |
340 if https_url and req.base_url() != https_url: |
338 req.status_out = http_client.UNAUTHORIZED |
341 req.status_out = http_client.SEE_OTHER |
339 # In the other case (coky auth) we assume that there is no way |
342 req.headers_out.setHeader('location', https_url + 'login') |
340 # for the user to provide them... |
|
341 # XXX But WHY ? |
343 else: |
342 else: |
344 # We assume here that in http auth mode the user *May* provide |
343 req.status_out = http_client.FORBIDDEN |
345 # Authentification Credential if asked kindly. |
344 # If previous error handling already generated a custom content |
346 if self.vreg.config['auth-mode'] == 'http': |
345 # do not overwrite it. This is used by LogOut Except |
347 req.status_out = http_client.UNAUTHORIZED |
346 # XXX ensure we don't actually serve content |
348 # In the other case (coky auth) we assume that there is no way |
347 if not content: |
349 # for the user to provide them... |
348 content = self.need_login_content(req) |
350 # XXX But WHY ? |
|
351 else: |
|
352 req.status_out = http_client.FORBIDDEN |
|
353 # If previous error handling already generated a custom content |
|
354 # do not overwrite it. This is used by LogOut Except |
|
355 # XXX ensure we don't actually serve content |
|
356 if not content: |
|
357 content = self.need_login_content(req) |
|
358 assert isinstance(content, binary_type) |
349 assert isinstance(content, binary_type) |
359 return content |
350 return content |
360 |
351 |
361 @_deprecated_path_arg |
352 @_deprecated_path_arg |
362 def core_handle(self, req): |
353 def core_handle(self, req): |