From 78d76db2ae8b7a646f8ae90efef7545006a0379c Mon Sep 17 00:00:00 2001 From: Patrick Easters Date: Mon, 3 Nov 2025 21:19:35 -0500 Subject: [PATCH] Only create sessions for authenticated users --- webBase.py | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/webBase.py b/webBase.py index b6f2278..cfed33a 100644 --- a/webBase.py +++ b/webBase.py @@ -7,21 +7,35 @@ class Cookie(object): def __init__(self, name): self.name = name - def get(self, default=''): - result = default - result = cherrypy.session.get(self.name) - if not result: - self.set(default) - result = default + def _session_exists(self): + """Check if a session exists without creating one.""" + # Check if session cookie exists in request + # This prevents session creation for unauthenticated users + # If no cookie exists, the user is not logged in, so no session should exist + session_cookie_name = cherrypy.config.get('tools.sessions.name', 'session_id') + return session_cookie_name in cherrypy.request.cookie - return result + def get(self, default=''): + # Only access session if it already exists (user is logged in) + if not self._session_exists(): + return default + # Session exists and is loaded, safe to access + try: + result = cherrypy.session.get(self.name, default) + return result if result else default + except (AttributeError, KeyError): + # Session might have been invalidated, return default + return default def set(self, value): + # Setting a value means user is logged in, so creating session is OK cherrypy.session[self.name] = value return value def delete(self): - cherrypy.session.pop(self.name, None) + # Only try to delete if session exists + if self._session_exists(): + cherrypy.session.pop(self.name, None) class WebBase(object):