[Checkins] SVN: zope.session/trunk/ Added a 'postOnly' option on CookieClientIdManagers to only allow setting

Jim Fulton jim at zope.com
Fri Oct 3 17:19:14 EDT 2008 

Log message for revision 91714:
  Added a 'postOnly' option on CookieClientIdManagers to only allow setting
  the client id cookie on POST requests.  This is to further reduce risk from
  broken caches handing the same client id out to multiple users. (Of
  course, it doesn't help if caches are broken enough to cache POSTs.)
  

Changed:
  U   zope.session/trunk/CHANGES.txt
  U   zope.session/trunk/src/zope/session/http.py

-=-
Modified: zope.session/trunk/CHANGES.txt
===================================================================
--- zope.session/trunk/CHANGES.txt	2008-10-03 16:36:33 UTC (rev 91713)
+++ zope.session/trunk/CHANGES.txt	2008-10-03 21:19:13 UTC (rev 91714)
@@ -2,6 +2,22 @@
 CHANGES
 =======
 
+version 3.7.0 (2008-10-03)
+--------------------------
+
+New features:
+
+- Added a 'postOnly' option on CookieClientIdManagers to only allow setting
+  the client id cookie on POST requests.  This is to further reduce risk from
+  broken caches handing the same client id out to multiple users. (Of
+  course, it doesn't help if caches are broken enough to cache POSTs.)
+
+- Only set the client-id cookie if it isn't already set and try to
+  prevent the header from being cached.  This is to minimize risk from
+  broken caches handing the same client id out to multiple users. 
+
+
+
 version 3.6.0 (2008-08-12)
 --------------------------
 

Modified: zope.session/trunk/src/zope/session/http.py
===================================================================
--- zope.session/trunk/src/zope/session/http.py	2008-10-03 16:36:33 UTC (rev 91713)
+++ zope.session/trunk/src/zope/session/http.py	2008-10-03 21:19:13 UTC (rev 91714)
@@ -98,6 +98,12 @@
         default=False,
         )
 
+    postOnly = schema.Bool(
+        title=_('Only set cookie on POST requests'),
+        required=False,
+        default=False,
+        )
+
 class CookieClientIdManager(zope.location.Location, Persistent):
     """Session utility implemented using cookies."""
 
@@ -106,6 +112,7 @@
     thirdparty = FieldProperty(ICookieClientIdManager['thirdparty'])
     cookieLifetime = FieldProperty(ICookieClientIdManager['cookieLifetime'])
     secure = FieldProperty(ICookieClientIdManager['secure'])
+    postOnly = FieldProperty(ICookieClientIdManager['postOnly'])
 
     def __init__(self):
         self.namespace = "zope3_cs_%x" % (int(time.time()) - 1000000000)
@@ -117,7 +124,7 @@
         This creates one if necessary:
 
           >>> from zope.publisher.http import HTTPRequest
-          >>> request = HTTPRequest(StringIO(''), {}, None)
+          >>> request = HTTPRequest(StringIO(''), {})
           >>> bim = CookieClientIdManager()
           >>> id = bim.getClientId(request)
           >>> id == bim.getClientId(request)
@@ -125,7 +132,7 @@
 
         The id is retained accross requests:
 
-          >>> request2 = HTTPRequest(StringIO(''), {}, None)
+          >>> request2 = HTTPRequest(StringIO(''), {})
           >>> request2._cookies = dict(
           ...   [(name, cookie['value'])
           ...    for (name, cookie) in request.response._cookies.items()
@@ -159,25 +166,51 @@
           >>> bool(request2.response._cookies)
           True
 
+        If the postOnly attribute is set to a true value, then cookies
+        will only be set on POST requests.
+
+          >>> bim.postOnly = True
+          >>> request = HTTPRequest(StringIO(''), {})
+          >>> bim.getClientId(request)
+          Traceback (most recent call last):
+          ...
+          MissingClientIdException
+
+          >>> print request.response.getCookie(bim.namespace)
+          None
+        
+          >>> request = HTTPRequest(StringIO(''), {'REQUEST_METHOD': 'POST'})
+          >>> id = bim.getClientId(request)
+          >>> id == bim.getClientId(request)
+          True
+          
+          >>> request.response.getCookie(bim.namespace) is not None
+          True
+
+          >>> bim.postOnly = False
+
         It's also possible to use third-party cookies. E.g. Apache `mod_uid`
         or Nginx `ngx_http_userid_module` are able to issue user tracking
         cookies in front of Zope. In case thirdparty is activated Zope may
         not set a cookie.
 
           >>> bim.thirdparty = True
-          >>> request3 = HTTPRequest(StringIO(''), {}, None)
-          >>> bim.getClientId(request3)
+          >>> request = HTTPRequest(StringIO(''), {})
+          >>> bim.getClientId(request)
           Traceback (most recent call last):
           ...
           MissingClientIdException
-          >>> cookie = request3.response.getCookie(bim.namespace)
-          >>> cookie is None
-          True
 
+          >>> print request.response.getCookie(bim.namespace)
+          None
+
         """
         sid = self.getRequestId(request)
         if sid is None:
-            if self.thirdparty:
+            if (self.thirdparty
+                or
+                (self.postOnly and not (request.method == 'POST'))
+                ):
                 raise MissingClientIdException
             else:
                 sid = self.generateUniqueId()

More information about the Checkins mailing list