Skip to content

Commit

Permalink
Don't embed user_id in session by default
Browse files Browse the repository at this point in the history
  • Loading branch information
MarkReedZ committed Mar 25, 2024
1 parent cd88df8 commit 6616912
Showing 1 changed file with 10 additions and 9 deletions.
19 changes: 10 additions & 9 deletions src/mrhttp/app.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,15 +422,16 @@ def setUserSessionAndCookies(self, request, user_id, user, cookies=http.cookies.
k += mrhttp.to64( random.getrandbits(6) )

userk = ""
numbits = user_id.bit_length()
if numbits == 0:
numbits += 1
while numbits > 0:
userk = mrhttp.to64( user_id & 0x1F ) + userk
user_id >>= 5
numbits -= 5
userk = userk + mrhttp.to64( 0x20 | random.getrandbits(5) )

if user_id:
numbits = user_id.bit_length()
if numbits == 0:
numbits += 1
while numbits > 0:
userk = mrhttp.to64( user_id & 0x1F ) + userk
user_id >>= 5
numbits -= 5
userk = userk + mrhttp.to64( 0x20 | random.getrandbits(5) )

skey = userk + k[len(userk):]

# Send the session cookie back to the user
Expand Down

0 comments on commit 6616912

Please sign in to comment.