From 5d98d3e81832e0be73a222ef5cf6519278af5a91 Mon Sep 17 00:00:00 2001 From: Matt Bosworth Date: Fri, 24 Oct 2014 12:56:48 -0700 Subject: [PATCH 1/3] Settings seem to be loaded before urls; changed urlresolvers.reverse() to urlresolvers.reverse_lazy so that the PASSIVE_URLS array will include the correct path --- session_security/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/session_security/settings.py b/session_security/settings.py index 1a964b1..510ee74 100644 --- a/session_security/settings.py +++ b/session_security/settings.py @@ -34,7 +34,7 @@ PASSIVE_URLS = getattr(settings, 'SESSION_SECURITY_PASSIVE_URLS', []) PASSIVE_URLS += [ - urlresolvers.reverse('session_security_ping'), + urlresolvers.reverse_lazy('session_security_ping'), ] if not getattr(settings, 'SESSION_EXPIRE_AT_BROWSER_CLOSE', False): From 3ea6fcdcab0a9d0a40dacc912f64515113fbc25c Mon Sep 17 00:00:00 2001 From: Matthew Bosworth Date: Thu, 6 Apr 2017 15:25:37 -0700 Subject: [PATCH 2/3] Added a noReload feature to expire a session without jumping to a login page. Includes some comments and a test --- .../static/session_security/script.js | 6 +++-- .../templates/session_security/all.html | 4 +++- session_security/tests/test_script.py | 24 +++++++++++++++++++ 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/session_security/static/session_security/script.js b/session_security/static/session_security/script.js index 48ab42c..cf3cb99 100644 --- a/session_security/static/session_security/script.js +++ b/session_security/static/session_security/script.js @@ -15,6 +15,9 @@ if (window.yourlabs == undefined) window.yourlabs = {}; // onbeforeunload handler that doesn't block expire(). // - events: a list of event types to watch for activity updates. // - returnToUrl: a url to redirect users to expired sessions to. If this is not defined we just reload the page +// - noReload: If this is defined then we expire the session without reloading +// the page. Useful if the page should stay visible but no further actions +// should be taken. yourlabs.SessionSecurity = function(options) { // **HTML element** that should show to warn the user that his session will // expire. @@ -55,8 +58,7 @@ yourlabs.SessionSecurity.prototype = { this.expired = true; if (this.returnToUrl !== undefined) { window.location.href = this.returnToUrl; - } - else { + } else if (!this.noReload) { window.location.reload(); } }, diff --git a/session_security/templates/session_security/all.html b/session_security/templates/session_security/all.html index 8701011..e93582c 100644 --- a/session_security/templates/session_security/all.html +++ b/session_security/templates/session_security/all.html @@ -29,7 +29,9 @@ pingUrl: '{% url 'session_security_ping' %}', warnAfter: {{ request|warn_after|unlocalize }}, expireAfter: {{ request|expire_after|unlocalize }}, - confirmFormDiscard: "{% trans 'You have unsaved changes in a form of this page.' %}" + confirmFormDiscard: "{% trans 'You have unsaved changes in a form of this page.' %}", + noReload: false // If this is set the session is exprired but the current page remains visible + }); {% endlocalize %} diff --git a/session_security/tests/test_script.py b/session_security/tests/test_script.py index dacda88..6164f9d 100644 --- a/session_security/tests/test_script.py +++ b/session_security/tests/test_script.py @@ -55,3 +55,27 @@ def test_activity_prevents_warning(self): self.assert_visible('#session_security_warning') delta = datetime.datetime.now() - start self.assertGreaterEqual(delta.seconds, self.min_warn_after) + + def test_no_reload(self): + locations = [] + for win in self.sel.window_handles: + self.sel.switch_to_window(win) + # can we check the value of sessionSecurity.noReload here?? + self.assertEqual(False, self.sel.execute_script( + 'return sessionSecurity.noReload')) + locations.append(self.sel.current_url) + # Set the noReload variable + self.sel.execute_script('sessionSecurity.noReload = true') + self.assertEqual(True, self.sel.execute_script( + 'return sessionSecurity.noReload')) + + time.sleep(self.max_expire_after) + + # Should still be at the same URL + for (idx, win) in enumerate(self.sel.window_handles): + self.sel.switch_to_window(win) + self.assertEqual(locations[idx], self.sel.current_url) + + # Even if we hit a key + self.press_space() + self.assertEqual(locations[idx], self.sel.current_url) From 959073df0bede998f3751557e4cf63cd435c1951 Mon Sep 17 00:00:00 2001 From: Matthew Bosworth Date: Fri, 7 Apr 2017 10:34:19 -0700 Subject: [PATCH 3/3] Expanded on the comment explaining noReload --- session_security/static/session_security/script.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/session_security/static/session_security/script.js b/session_security/static/session_security/script.js index cf3cb99..99a38e8 100644 --- a/session_security/static/session_security/script.js +++ b/session_security/static/session_security/script.js @@ -16,8 +16,12 @@ if (window.yourlabs == undefined) window.yourlabs = {}; // - events: a list of event types to watch for activity updates. // - returnToUrl: a url to redirect users to expired sessions to. If this is not defined we just reload the page // - noReload: If this is defined then we expire the session without reloading -// the page. Useful if the page should stay visible but no further actions -// should be taken. +// the page. Useful if a page requires a lot of navigation or +// interaction to get to and jumping to a login page would make it +// difficult to recreate the state. SECURITY WARNING: this option is +// inherently less secure than reloading the page. Any sensitive +// information will remain visible and could potentially be copied / pasted +// after expiration. yourlabs.SessionSecurity = function(options) { // **HTML element** that should show to warn the user that his session will // expire.