1.参考flask官方demo实现如下一段代码
# encoding: utf-8
"""
@version: 1.0
@author: pierrexiong
@file: my_session
@time: 2018/7/17 上午12:00
"""
from flask import Flask, session, redirect, url_for, escape, request
app = Flask(__name__)
@app.route('/')
def index():
if 'username' in session:
return 'Logged in as %s' % escape(session['username'])
return 'You are not logged in'
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
session['username'] = request.form['username']
return redirect(url_for('index'))
return '''
<form action="" method="post">
<p><input type=text name=username>
<p><input type=submit value=Login>
</form>
'''
@app.route('/logout')
def logout():
# remove the username from the session if it's there
session.pop('username', None)
return redirect(url_for('index'))
# set the secret key. keep this really secret:
app.secret_key = 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT'
if __name__ == '__main__':
app.run()
【图片一】
基于代码可看出,flask的session是基于cookie实现的,这样可以实现不同请求间存储特定用户的信息,实现用户状态的保持。
当然flask对cookie的安全做了一些基础的加固:
正如前文所说flask的session基于cookie实现,相关基础源码见sessions.py,核心安全部分是基于itsdangerous实现(http://itsdangerous.readthedocs.io/en/latest/)
# 生成session
def save_session(self, app, session, response):
domain = self.get_cookie_domain(app)
path = self.get_cookie_path(app)
# If the session is modified to be empty, remove the cookie.
# If the session is empty, return without setting the cookie.
if not session:
if session.modified:
response.delete_cookie(
app.session_cookie_name,
domain=domain,
path=path
)
return
# Add a "Vary: Cookie" header if the session was accessed at all.
if session.accessed:
response.vary.add('Cookie')
if not self.should_set_cookie(app, session):
return
httponly = self.get_cookie_httponly(app)
secure = self.get_cookie_secure(app)
samesite = self.get_cookie_samesite(app)
expires = self.get_expiration_time(app, session)
val = self.get_signing_serializer(app).dumps(dict(session))
response.set_cookie(
app.session_cookie_name,
val,
expires=expires,
httponly=httponly,
domain=domain,
path=path,
secure=secure,
samesite=samesite
)
如上述代码所示,我们使用save_session来生成并保存我们的session。其中不难看出,最终还是将下列值set到cookie里面:
# 打开session并进行校验
def open_session(self, app, request):
s = self.get_signing_serializer(app)
if s is None:
return None
val = request.cookies.get(app.session_cookie_name)
if not val:
return self.session_class()
max_age = total_seconds(app.permanent_session_lifetime)
try:
data = s.loads(val, max_age=max_age)
return self.session_class(data)
except BadSignature:
return self.session_class()
flask打开session时会读取cookie的val,并使用签名来验证是否有效
salt = 'cookie-session'
digest_method = staticmethod(hashlib.sha1)
key_derivation = 'hmac'
serializer = session_json_serializer
def get_signing_serializer(self, app):
if not app.secret_key:
return None
signer_kwargs = dict(
key_derivation=self.key_derivation,
digest_method=self.digest_method
)
return URLSafeTimedSerializer(app.secret_key, salt=self.salt,
serializer=self.serializer,
signer_kwargs=signer_kwargs)
在SecureCookieSessionInterface类中会使用上述方法生成签名, 其中URLSafeTimedSerializer就是来自itsdangerous。
一旦app.secret_key泄露,则整个session体系将变得不安全。
(后面有时间可以模拟因泄露secret_key而进行的web攻击)
app.session_cookie_name = 'flask_session'
# permanent_session_lifetime 设置session保持时间
flask官方的session实现,依然是俗套的方法:
flask在安全上的保证:
https://blog.csdn.net/yueguanghaidao/article/details/40016235
本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。