use json serializer for sessions, change timestamps' data type, more security docs

json serializer can't serialize datetime (but integers), but is more safe than the pickle serializer.

docs/security.rst

@@ -119,3 +119,17 @@ users' sites (like attacker.yourservice.net).
 Obviously, this might lead to security issues with stealing, modifying and
 faking domain cookies.
 
+
+Sessions
+========
+
+We use Django's more safe JSONSerializer to serialize session data.
+For Django >=1.5.3, the serializer is configurable.
+For Django >=1.6 json will be the default rather than the less safe pickle format.
+
+
+Django's SECRET_KEY
+===================
+
+Well, it needs to be secret, so don't just keep the value from our settings.py,
+but define a really secret one in your local_settings.py.

nsupdate/api/views.py

@@ -3,6 +3,7 @@
 import logging
 logger = logging.getLogger(__name__)
 
+import time
 import json
 
 from django.http import HttpResponse
@@ -10,7 +11,6 @@ from django.conf import settings
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.decorators import login_required
 from django.contrib.sessions.backends.db import SessionStore
-from django.utils.timezone import now
 
 from ..main.models import Host
 from ..main.dnstools import update, SameIpError, check_ip
@@ -52,7 +52,7 @@ def DetectIpView(request, secret=None):
     ipaddr = request.META['REMOTE_ADDR']
     key = check_ip(ipaddr)
     s[key] = ipaddr
-    s[key + '_timestamp'] = now()
+    s[key + '_timestamp'] = int(time.time())
     logger.debug("detected %s: %s" % (key, ipaddr))
     s.save()
     return HttpResponse(status=204)

nsupdate/context_processors.py

@@ -3,10 +3,9 @@
 import logging
 logger = logging.getLogger(__name__)
 
-from datetime import timedelta
+import time
 
 from django.conf import settings
-from django.utils.timezone import now
 
 MAX_IP_AGE = 180  # seconds
 
@@ -27,7 +26,7 @@ def remove_stale_ips(request):
     """
     # XXX is a context processor is the right place for this?
     s = request.session
-    t_now = now()
+    t_now = int(time.time())
     for key in ['ipv4', 'ipv6', ]:
         timestamp_key = "%s_timestamp" % key
         try:
@@ -38,7 +37,7 @@ def remove_stale_ips(request):
             s[timestamp_key] = t_now
         else:
             try:
-                stale = timestamp + timedelta(seconds=MAX_IP_AGE) < t_now
+                stale = timestamp + MAX_IP_AGE < t_now
             except (ValueError, TypeError):
                 # invalid timestamp in session
                 del s[timestamp_key]

nsupdate/settings.py

@@ -235,6 +235,7 @@ SESSION_COOKIE_HTTPONLY = True
 SESSION_COOKIE_AGE = 14 * 24 * 3600  # 2 weeks, in seconds
 SESSION_EXPIRE_AT_BROWSER_CLOSE = False
 
+SESSION_SERIALIZER = 'django.contrib.sessions.serializers.JSONSerializer'
 
 # python-social-auth settings
 

setup.py

@@ -38,7 +38,7 @@ setup(
     zip_safe=False,
     platforms='any',
     install_requires=[
-        'django<1.6',
+        'django >1.5.3, <1.6', # 1.5.3 has the session serializer configurable
         'dnspython',
         'south',
         'django-bootstrap-form',