Empty session data if session age > max_age (#331)

panagiks · asvetlov · commit 1b356f01bbab · 2018-10-12T16:00:24.000+03:00
diff --git a/aiohttp_session/__init__.py b/aiohttp_session/__init__.py
@@ -24,9 +24,12 @@ def __init__(self, identity, *, data, new, max_age=None):
         self._max_age = max_age
         created = data.get('created', None) if data else None
         session_data = data.get('session', None) if data else None
-
+        now = int(time.time())
+        age = now - created if created else now
+        if max_age is not None and age > max_age:
+            session_data = None
         if self._new or created is None:
-            self._created = int(time.time())
+            self._created = now
         else:
             self._created = created
 
diff --git a/tests/test_nacl_storage.py b/tests/test_nacl_storage.py
@@ -8,7 +8,8 @@
 from aiohttp import web
 from nacl.encoding import Base64Encoder
 
-from aiohttp_session import Session, session_middleware, get_session
+from aiohttp_session import (Session, session_middleware, get_session,
+                             new_session)
 from aiohttp_session.nacl_storage import NaClCookieStorage
 
 
@@ -212,3 +213,33 @@ async def handler(request):
     make_cookie(client, secretbox, {'a': 1, 'b': 12})
     resp = await client.get('/')
     assert resp.status == 200
+
+
+async def test_load_expired_session(aiohttp_client, key):
+    MAX_AGE = 2
+
+    async def login(request):
+        session = await new_session(request)
+        session['created'] = int(time.time())
+        return web.Response()
+
+    async def handler(request):
+        session = await get_session(request)
+        created = session.get('created', None) if not session.new else None
+        text = ''
+        if created is not None and (time.time() - created) > MAX_AGE:
+            text += 'WARNING!'
+        return web.Response(text=text)
+
+    app = create_app(handler, key, max_age=MAX_AGE)
+    app.router.add_route('POST', '/', login)
+
+    client = await aiohttp_client(app)
+    resp = await client.post('/')
+    assert 'AIOHTTP_SESSION' in resp.cookies
+    cookie = resp.cookies['AIOHTTP_SESSION'].value
+    await asyncio.sleep(MAX_AGE + 1)
+    client.session.cookie_jar.update_cookies({'AIOHTTP_SESSION': cookie})
+    resp = await client.get('/')
+    body = await resp.text()
+    assert body == ''
