+
−import base64
+
−import cPickle as pickle
+
−
+
−from django.db import models
+
−from django.utils.translation import ugettext_lazy as _
+
−from django.conf import settings
+
−from django.utils.hashcompat import md5_constructor
+
−
+
−
+
−class SessionManager(models.Manager):
+
−    def encode(self, session_dict):
+
−        """
+
−        Returns the given session dictionary pickled and encoded as a string.
+
−        """
+
−        pickled = pickle.dumps(session_dict)
+
−        pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest()
+
−        return base64.encodestring(pickled + pickled_md5)
+
−
+
−    def save(self, session_key, session_dict, expire_date):
+
−        s = self.model(session_key, self.encode(session_dict), expire_date)
+
−        if session_dict:
+
−            s.save()
+
−        else:
+
−            s.delete() # Clear sessions with no data.
+
−        return s
+
−
+
−
+
−class Session(models.Model):
+
−    """
+
−    Django provides full support for anonymous sessions. The session
+
−    framework lets you store and retrieve arbitrary data on a
+
−    per-site-visitor basis. It stores data on the server side and
+
−    abstracts the sending and receiving of cookies. Cookies contain a
+
−    session ID -- not the data itself.
+
−
+
−    The Django sessions framework is entirely cookie-based. It does
+
−    not fall back to putting session IDs in URLs. This is an intentional
+
−    design decision. Not only does that behavior make URLs ugly, it makes
+
−    your site vulnerable to session-ID theft via the "Referer" header.
+
−
+
−    For complete documentation on using Sessions in your code, consult
+
−    the sessions documentation that is shipped with Django (also available
+
−    on the Django website).
+
−    """
+
−    session_key = models.CharField(_('session key'), max_length=40,
+
−                                   primary_key=True)
+
−    session_data = models.TextField(_('session data'))
+
−    expire_date = models.DateTimeField(_('expire date'))
+
−    objects = SessionManager()
+
−
+
−    class Meta:
+
−        db_table = 'django_session'
+
−        verbose_name = _('session')
+
−        verbose_name_plural = _('sessions')
+
−
+
−    def get_decoded(self):
+
−        encoded_data = base64.decodestring(self.session_data)
+
−        pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
+
−        if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
+
−            from django.core.exceptions import SuspiciousOperation
+
−            raise SuspiciousOperation, "User tampered with session cookie."
+
−        try:
+
−            return pickle.loads(pickled)
+
−        # Unpickling can cause a variety of exceptions. If something happens,
+
−        # just return an empty dictionary (an empty session).
+
−        except:
+
−            return {}