为什么烧瓶会话是纯文本的? [英] Why is flask-session in plain text?
问题描述
我创建了一个服务器端会话文件,而且我是 Web 应用程序的新手.我不明白为什么用文本文件打开的会话文件里面有纯内容.我有一个密钥设置,但为什么没有加密?
I have a server-side session file created and I am new to web applications. I don't understand why the session files when opened with text file has plain content inside it. I have a secret key setup and all but why is it not encrypted?
from flask import Flask, render_template, request, redirect, url_for, session, flash
from flask_sessions import Session
app = Flask(__name__)
app.config['SECRET_KEY'] = 'keykeykey'
app.config["SESSION_PERMANENT"] = False
app.config["SESSION_TYPE"] = "filesystem"
app.config['SESSION_USE_SIGNER'] = True
server_session = Session(app)
登录时的文件路径是
app.route('/login', methods=['GET', 'POST'])
def login_page():
session['email'] = email
return redirect(url_for('home_page'))
退出时的路线是
@app.route("/logout")
def logout():
session.pop('email', None)
return redirect(url_for("home_page"))
当会话开始时,在 dir/flask-sessions/2029240f6d1128be89ddc32729463129 中创建一个文件,每次生成两个文件,当我用记事本打开它时,我可以在纯文本
WHen the session is started a file is created in dir/flask-sessions/2029240f6d1128be89ddc32729463129, there are two files generated for each time and when I open it with notepad I can see the email id in plain text that is
Mø`.€•i }"(Œ
_permanent"ˆŒ
csrf_token"Œ(fb90d22be1adc1237c52730fadf95d1e07936cdd9e"Œemail"Œemail@email.com"u.
结尾的 email@email.com 是表单的输入.
the ending email@email.com is the input from the form.
我的问题是
- 为什么内容即使存储在我的服务器中也没有加密?
- 当我执行
session.pop()时,为什么文件没有被删除?
- Why is the content not encrypted even though it is stored in my server?
- When I do
session.pop()why is the file not deleted?
我想问题是因为我使用 from cachelib import FileSystemCache 而不是 from werkzeug.contrib.cache import FileSystemCache ??是这个问题吗?由于最新版本的 werkzeug 没有 .contrib,我该如何克服这个问题?
I guess the issue is because I use from cachelib import FileSystemCache instead of from werkzeug.contrib.cache import FileSystemCache?? Is that the issue? How can I overcome this as latest version of werkzeug doesn't have .contrib?
推荐答案
尽我所知尽力回答.
1) 为什么内容没有加密?
只要您的服务器是安全的,您就不必担心存储在服务器中的会话.该漏洞是在浏览器中存储为 cookie 的会话.为了绕过这一点,SECRET_KEY"用于让服务器在将会话变量存储在浏览器中之前对其进行签名.这就是为什么您可能仍会在服务器上以纯文本形式看到会话的原因.不过,它将在浏览器 cookie 数据中签名.
You do not really need to worry about the session stored in your server as long as your server is secured. The vulnerability is the session stored as cookies in the browser. To bypass that, the 'SECRET_KEY' is used to let the server sign the session variables before storing them in the browser. That is the reason why you might still see the session in plain text on the server. It will be signed in the browser cookie-data though.
2) 当我执行 session.pop() 时为什么文件没有被删除?
为了理解 session.pop 的作用,我做了一些练习.起初,我的烧瓶会话是这样的:
To understand what the session.pop does, I did a little exercise. At first, my flask session looked like this:
Session is: <SecureCookieSession {'id': '27260b14-405d-440a-9e38-daa32d9a7797', 'loggedin': True, 'username': 'Rajat Yadav'}>
当我弹出会话字典映射中的所有键时,我只剩下这个:
When I pop all the keys in the session dict mapping, I am left with this:
New Session is: <SecureCookieSession {}>
清楚的是,当我们弹出会话时,键值对会被删除.可以肯定的一件事是 pop 不会删除完整的字典对象,而只是删除里面的 key:value 对.对于您的文件未被删除的问题,我相信删除字典对象应该可以解决问题.试试:
The clarity is that the key:value pair gets deleted as we pop the session. One thing for sure is that pop does not delete the complete dictinary object but just the key:value pair inside. To your question of the file not getting deleted, I believe deleting the dictionary object should do the trick. Try:
del session
如果这会删除文件,请告诉我.
Let me know if this deletes the file.
这篇关于为什么烧瓶会话是纯文本的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
