1 files changed, 67 insertions, 0 deletions

diff --git a/webapp/django/contrib/sessions/models.py b/webapp/django/contrib/sessions/models.py
new file mode 100644
index 0000000000..cf2865fcc8
--- /dev/null
+++ b/webapp/django/contrib/sessions/models.py
@@ -0,0 +1,67 @@
+import base64
+import cPickle as pickle
+
+from django.db import models
+from django.utils.translation import ugettext_lazy as _
+from django.conf import settings
+from django.utils.hashcompat import md5_constructor
+
+
+class SessionManager(models.Manager):
+    def encode(self, session_dict):
+        """
+        Returns the given session dictionary pickled and encoded as a string.
+        """
+        pickled = pickle.dumps(session_dict)
+        pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest()
+        return base64.encodestring(pickled + pickled_md5)
+
+    def save(self, session_key, session_dict, expire_date):
+        s = self.model(session_key, self.encode(session_dict), expire_date)
+        if session_dict:
+            s.save()
+        else:
+            s.delete() # Clear sessions with no data.
+        return s
+
+
+class Session(models.Model):
+    """
+    Django provides full support for anonymous sessions. The session
+    framework lets you store and retrieve arbitrary data on a
+    per-site-visitor basis. It stores data on the server side and
+    abstracts the sending and receiving of cookies. Cookies contain a
+    session ID -- not the data itself.
+
+    The Django sessions framework is entirely cookie-based. It does
+    not fall back to putting session IDs in URLs. This is an intentional
+    design decision. Not only does that behavior make URLs ugly, it makes
+    your site vulnerable to session-ID theft via the "Referer" header.
+
+    For complete documentation on using Sessions in your code, consult
+    the sessions documentation that is shipped with Django (also available
+    on the Django website).
+    """
+    session_key = models.CharField(_('session key'), max_length=40,
+                                   primary_key=True)
+    session_data = models.TextField(_('session data'))
+    expire_date = models.DateTimeField(_('expire date'))
+    objects = SessionManager()
+
+    class Meta:
+        db_table = 'django_session'
+        verbose_name = _('session')
+        verbose_name_plural = _('sessions')
+
+    def get_decoded(self):
+        encoded_data = base64.decodestring(self.session_data)
+        pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
+        if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
+            from django.core.exceptions import SuspiciousOperation
+            raise SuspiciousOperation, "User tampered with session cookie."
+        try:
+            return pickle.loads(pickled)
+        # Unpickling can cause a variety of exceptions. If something happens,
+        # just return an empty dictionary (an empty session).
+        except:
+            return {}