210 """ |
210 """ |
211 cookie = req.get_cookie() |
211 cookie = req.get_cookie() |
212 sessioncookie = self.session_cookie(req) |
212 sessioncookie = self.session_cookie(req) |
213 try: |
213 try: |
214 sessionid = str(cookie[sessioncookie].value) |
214 sessionid = str(cookie[sessioncookie].value) |
215 except KeyError: # no session cookie |
215 self.get_session(req, sessionid) |
216 session = self.open_session(req) |
216 except (KeyError, InvalidSession): # no valid session cookie |
217 else: |
217 self.open_session(req) |
218 try: |
|
219 session = self.get_session(req, sessionid) |
|
220 except InvalidSession: |
|
221 # try to open a new session, so we get an anonymous session if |
|
222 # allowed |
|
223 session = self.open_session(req) |
|
224 else: |
|
225 if not session.cnx: |
|
226 # session exists but is not bound to a connection. We should |
|
227 # try to authenticate |
|
228 loginsucceed = False |
|
229 try: |
|
230 if self.open_session(req, allow_no_cnx=False): |
|
231 loginsucceed = True |
|
232 except Redirect: |
|
233 # may be raised in open_session (by postlogin mechanism) |
|
234 # on successful connection |
|
235 loginsucceed = True |
|
236 raise |
|
237 except AuthenticationError: |
|
238 # authentication failed, continue to use this session |
|
239 req.set_session(session) |
|
240 finally: |
|
241 if loginsucceed: |
|
242 # session should be replaced by new session created |
|
243 # in open_session |
|
244 self.session_manager.close_session(session) |
|
245 |
218 |
246 def get_session(self, req, sessionid): |
219 def get_session(self, req, sessionid): |
247 session = self.session_manager.get_session(req, sessionid) |
220 session = self.session_manager.get_session(req, sessionid) |
248 session.mtime = time() |
221 session.mtime = time() |
249 return session |
222 return session |
250 |
223 |
251 def open_session(self, req, allow_no_cnx=True): |
224 def open_session(self, req): |
252 session = self.session_manager.open_session(req, allow_no_cnx=allow_no_cnx) |
225 session = self.session_manager.open_session(req) |
253 sessioncookie = self.session_cookie(req) |
226 sessioncookie = self.session_cookie(req) |
254 secure = req.https and req.base_url().startswith('https://') |
227 secure = req.https and req.base_url().startswith('https://') |
255 req.set_cookie(sessioncookie, session.sessionid, |
228 req.set_cookie(sessioncookie, session.sessionid, |
256 maxage=None, secure=secure) |
229 maxage=None, secure=secure) |
257 if not session.anonymous_session: |
230 if not session.anonymous_session: |
360 # activate realm-based auth |
333 # activate realm-based auth |
361 realm = self.vreg.config['realm'] |
334 realm = self.vreg.config['realm'] |
362 req.set_header('WWW-Authenticate', [('Basic', {'realm' : realm })], raw=False) |
335 req.set_header('WWW-Authenticate', [('Basic', {'realm' : realm })], raw=False) |
363 content = '' |
336 content = '' |
364 try: |
337 try: |
365 self.connect(req) |
338 try: |
|
339 self.connect(req) |
|
340 except AuthenticationError: |
|
341 # XXX We want to clean up this approach in the future. But |
|
342 # several cubes like registration or forgotten password rely on |
|
343 # this principle. |
|
344 req.set_session(DBAPISession(None)) |
366 # DENY https acces for anonymous_user |
345 # DENY https acces for anonymous_user |
367 if (req.https |
346 if (req.https |
368 and req.session.anonymous_session |
347 and req.session.anonymous_session |
369 and self.vreg.config['https-deny-anonymous']): |
348 and self.vreg.config['https-deny-anonymous']): |
370 # don't allow anonymous on https connection |
349 # don't allow anonymous on https connection |