shazaman23 / webapp-improved

Automatically exported from code.google.com/p/webapp-improved
Other
0 stars 0 forks source link

webapp2_extras.auth:invalid cookie signature only warning but no action taken #86

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?

1. change secret_key in config or compromise cookie
2. now every request that accesses session info
   will issue a logging warning "invalid cookie signature ..."

The warning should be there only once and steps inside webapp2 should be taken
to recover, e.g. marking session modified in order to make the cookie value get 
regenerated and re-sent to client.

[Else an exception should be raised to allow the application to 
modify the session by itself.]

webapp2 version: 2.5.2
gae: 1.8.6
os: archlinux

Original issue reported on code.google.com by dontbit...@gmail.com on 3 Dec 2013 at 6:04

GoogleCodeExporter commented 8 years ago
'new' can be used to get a hint that possibly the client's cookie is not OK
Something like this will induce resending:

    def dispatch(self):
        self.session_store = sessions.get_store(request=self.request)
        if self.session_store.get_session().new:
            #modified session will be re-sent
            self.session_store.get_session().update({})
        try:
            webapp2.RequestHandler.dispatch(self)
        finally:
            self.session_store.save_sessions(self.response)

Original comment by dontbit...@gmail.com on 4 Dec 2013 at 10:40