From 8f4fbd84220a3256cbeee3f2adcc333c0ef0e6aa Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Thu, 27 Feb 2014 16:51:43 -0500
Subject: fix timeout=None bug as well as some other potential unpacking
 problems

---
 pyramid/session.py | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/pyramid/session.py b/pyramid/session.py
index ea7a5628c..5cc51869c 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -256,17 +256,24 @@ def BaseCookieSessionFactory(
 
             if value is not None:
                 try:
-                    renewed, created, state = value
+                    # since the value is not necessarily signed, we have
+                    # to unpack it a little carefully
+                    rval, cval, sval = value
+                    renewed = float(rval)
+                    created = float(cval)
+                    state = sval
                     new = False
-                    if now - renewed > self._timeout:
-                        # expire the session because it was not renewed
-                        # before the timeout threshold
-                        state = {}
-                except TypeError:
+                except (TypeError, ValueError):
                     # value failed to unpack properly or renewed was not
                     # a numeric type so we'll fail deserialization here
                     state = {}
 
+            if self._timeout is not None:
+                if now - renewed > self._timeout:
+                    # expire the session because it was not renewed
+                    # before the timeout threshold
+                    state = {}
+
             self.created = created
             self.accessed = renewed
             self.renewed = renewed
-- 
cgit v1.2.3