New session model with id and JSON data

Author: davegaeddert

plain-admin/tests/test_admin.py

@@ -18,5 +18,7 @@ def test_admin_login_required(db):
     user.is_admin = True
     user.save()
 
-    # Now admin
-    assert client.get("/admin/").status_code == 200
+    # Now admin (currently redirects to the first view)
+    resp = client.get("/admin/")
+    assert resp.status_code == 302
+    assert resp.url == "/admin/p/session/"

plain-sessions/plain/sessions/admin.py

@@ -1,7 +1,28 @@
 from plain.admin.toolbar import ToolbarPanel, register_toolbar_panel
+from plain.admin.views import (
+    AdminModelDetailView,
+    AdminModelListView,
+    AdminViewset,
+    register_viewset,
+)
+
+from .models import Session
 
 
 @register_toolbar_panel
 class SessionToolbarPanel(ToolbarPanel):
     name = "Session"
     template_name = "toolbar/session.html"
+
+
+@register_viewset
+class SessionAdmin(AdminViewset):
+    class ListView(AdminModelListView):
+        model = Session
+        fields = ["session_key", "expires_at", "created_at"]
+        search_fields = ["session_key"]
+        nav_section = "Sessions"
+        queryset_order = ["-created_at"]
+
+    class DetailView(AdminModelDetailView):
+        model = Session

plain-sessions/plain/sessions/core.py

@@ -1,32 +1,12 @@
-import logging
 import string
 from datetime import timedelta
 
-from plain import signing
-from plain.exceptions import SuspiciousOperation
-from plain.models import DatabaseError, IntegrityError, transaction
+from plain.models import transaction
 from plain.runtime import settings
 from plain.utils import timezone
 from plain.utils.crypto import get_random_string
 
 
-class CreateError(Exception):
-    """
-    Used internally as a consistent exception type to catch from save (see the
-    docstring for SessionBase.save() for details).
-    """
-
-    pass
-
-
-class UpdateError(Exception):
-    """
-    Occurs if Plain tries to update a session that was deleted.
-    """
-
-    pass
-
-
 class SessionStore:
     """
     The actual session object that gets attached to a request,
@@ -59,10 +39,6 @@ def __delitem__(self, key):
         del self._session[key]
         self.modified = True
 
-    @property
-    def key_salt(self):
-        return "plain.sessions." + self.__class__.__qualname__
-
     def get(self, key, default=None):
         return self._session.get(key, default)
 
@@ -79,26 +55,6 @@ def setdefault(self, key, value):
             self._session[key] = value
             return value
 
-    def _encode(self, session_dict):
-        "Return the given session dictionary serialized and encoded as a string."
-        return signing.dumps(
-            session_dict,
-            salt=self.key_salt,
-            compress=True,
-        )
-
-    def _decode(self, session_data):
-        try:
-            return signing.loads(session_data, salt=self.key_salt)
-        except signing.BadSignature:
-            logger = logging.getLogger("plain.security.SuspiciousSession")
-            logger.warning("Session data corrupted")
-        except Exception:
-            # ValueError, unpickling exceptions. If any of these happen, just
-            # return an empty dictionary (an empty session).
-            pass
-        return {}
-
     def update(self, dict_):
         self._session.update(dict_)
         self.modified = True
@@ -190,56 +146,39 @@ def _load(self):
             session = self._model.objects.get(
                 session_key=self.session_key, expires_at__gt=timezone.now()
             )
-        except (self._model.DoesNotExist, SuspiciousOperation) as e:
-            if isinstance(e, SuspiciousOperation):
-                logger = logging.getLogger(f"plain.security.{e.__class__.__name__}")
-                logger.warning(str(e))
+        except self._model.DoesNotExist:
             self.session_key = None
             session = None
 
-        return self._decode(session.session_data) if session else {}
+        return session.session_data if session else {}
 
     def create(self):
-        while True:
-            self.session_key = self._get_new_session_key()
-            try:
-                # Save immediately to ensure we have a unique entry in the
-                # database.
-                self.save(must_create=True)
-            except CreateError:
-                # Key wasn't unique. Try again.
-                continue
-            self.modified = True
-            return
+        self.session_key = self._get_new_session_key()
+        data = self._get_session(no_load=True)
+        with transaction.atomic():
+            self._model.objects.create(
+                session_key=self.session_key,
+                session_data=data,
+                expires_at=timezone.now()
+                + timedelta(seconds=settings.SESSION_COOKIE_AGE),
+            )
+        self.modified = True
 
-    def save(self, must_create=False):
+    def save(self):
         """
-        Save the current session data to the database. If 'must_create' is
-        True, raise a database error if the saving operation doesn't create a
-        new entry (as opposed to possibly updating an existing entry).
+        Save the current session data to the database using update_or_create.
         """
-        if self.session_key is None:
-            return self.create()
-        data = self._get_session(no_load=must_create)
-
-        obj = self._model(
-            session_key=self._get_or_create_session_key(),
-            session_data=self._encode(data),
-            expires_at=timezone.now() + timedelta(seconds=settings.SESSION_COOKIE_AGE),
-        )
+        data = self._get_session(no_load=False)
+
+        with transaction.atomic():
+            _, created = self._model.objects.update_or_create(
+                session_key=self._get_or_create_session_key(),
+                defaults={
+                    "session_data": data,
+                    "expires_at": timezone.now()
+                    + timedelta(seconds=settings.SESSION_COOKIE_AGE),
+                },
+            )
 
-        try:
-            with transaction.atomic():
-                obj.save(
-                    clean_and_validate=False,
-                    force_insert=must_create,
-                    force_update=not must_create,
-                )
-        except IntegrityError:
-            if must_create:
-                raise CreateError
-            raise
-        except DatabaseError:
-            if not must_create:
-                raise UpdateError
-            raise
+        if created:
+            self.modified = True

plain-sessions/plain/sessions/exceptions.py

@@ -1,11 +1,10 @@
 import time
 
 from plain.runtime import settings
-from plain.sessions.exceptions import SessionInterrupted
 from plain.utils.cache import patch_vary_headers
 from plain.utils.http import http_date
 
-from .core import SessionStore, UpdateError
+from .core import SessionStore
 
 
 class SessionMiddleware:
@@ -51,14 +50,7 @@ def __call__(self, request):
                 # Save the session data and refresh the client cookie.
                 # Skip session save for 5xx responses.
                 if response.status_code < 500:
-                    try:
-                        request.session.save()
-                    except UpdateError:
-                        raise SessionInterrupted(
-                            "The request's session was deleted before the "
-                            "request completed. The user may have logged "
-                            "out in a concurrent request, for example."
-                        )
+                    request.session.save()
                     response.set_cookie(
                         settings.SESSION_COOKIE_NAME,
                         request.session.session_key,

plain-sessions/plain/sessions/middleware.py

@@ -0,0 +1,72 @@
+# Generated by Plain 0.52.2 on 2025-07-06 02:00
+
+from plain import models, signing
+from plain.models import migrations
+
+
+def copy_sessions(apps, schema_editor):
+    """
+    Copy data from the old Session2 model to the new Session model.
+    """
+    Session2 = apps.get_model("plainsessions", "Session2")
+    Session = apps.get_model("plainsessions", "Session")
+
+    salt = "plain.sessions.SessionStore"
+
+    to_create = []
+
+    for session in Session2.objects.all():
+        session_data = signing.loads(session.session_data, salt=salt)
+        to_create.append(
+            Session(
+                session_key=session.session_key,
+                session_data=session_data,
+                expires_at=session.expires_at,
+            )
+        )
+
+    Session.objects.bulk_create(to_create)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("plainsessions", "0004_alter_session_managers_and_more"),
+    ]
+
+    operations = [
+        migrations.RenameModel(
+            old_name="Session",
+            new_name="Session2",
+        ),
+        migrations.RenameIndex(
+            model_name="session2",
+            new_name="plainsessio_expires_f66c08_idx",
+            old_name="plainsessio_expires_d87cb5_idx",
+        ),
+        migrations.CreateModel(
+            name="Session",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True)),
+                ("session_key", models.CharField(max_length=40)),
+                ("session_data", models.JSONField(default=dict, required=False)),
+                ("created_at", models.DateTimeField(auto_now_add=True)),
+                ("expires_at", models.DateTimeField(allow_null=True)),
+            ],
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(
+                fields=["expires_at"], name="plainsessio_expires_d87cb5_idx"
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="session",
+            constraint=models.UniqueConstraint(
+                fields=("session_key",), name="unique_session_key"
+            ),
+        ),
+        migrations.RunPython(copy_sessions),
+        migrations.DeleteModel(
+            name="Session2",
+        ),
+    ]

plain-sessions/plain/sessions/migrations/0005_rename_session_session2_and_more.py

@@ -3,37 +3,18 @@
 
 @models.register_model
 class Session(models.Model):
-    """
-    Plain provides full support for anonymous sessions. The session
-    framework lets you store and retrieve arbitrary data on a
-    per-site-visitor basis. It stores data on the server side and
-    abstracts the sending and receiving of cookies. Cookies contain a
-    session ID -- not the data itself.
-
-    The Plain sessions framework is entirely cookie-based. It does
-    not fall back to putting session IDs in URLs. This is an intentional
-    design decision. Not only does that behavior make URLs ugly, it makes
-    your site vulnerable to session-ID theft via the "Referer" header.
-
-    For complete documentation on using Sessions in your code, consult
-    the sessions documentation that is shipped with Plain (also available
-    on the Plain web site).
-    """
-
-    session_key = models.CharField(max_length=40, primary_key=True)
-    session_data = models.TextField()
-    expires_at = models.DateTimeField()
+    session_key = models.CharField(max_length=40)
+    session_data = models.JSONField(default=dict, required=False)
+    created_at = models.DateTimeField(auto_now_add=True)
+    expires_at = models.DateTimeField(allow_null=True)
 
     class Meta:
         indexes = [
             models.Index(fields=["expires_at"]),
         ]
+        constraints = [
+            models.UniqueConstraint(fields=["session_key"], name="unique_session_key")
+        ]
 
     def __str__(self):
         return self.session_key
-
-    def decoded_data(self):
-        from .core import SessionStore
-
-        # A little weird to init an empty one just to use the decode
-        return SessionStore()._decode(self.session_data)