揭秘 Flask app.secret_key [英] demystify Flask app.secret_key

问题描述

如果 app.secret_key 未设置，Flask 将不允许您设置或访问会话字典.

If app.secret_key isn't set, Flask will not allow you to set or access the session dictionary.

这就是 flask 用户指南在主题.

This is all that the flask user guide has to say on the subject.

我对 Web 开发非常陌生，我不知道任何安全性的东西是如何/为什么起作用的.我想了解 Flask 在幕后做了什么.

I am very new to web development and I have no idea how/why any security stuff works. I would like to understand what Flask is doing under the hood.

• 为什么 Flask 强制我们设置这个 secret_key 属性?
• Flask 如何使用 secret_key 属性?

• Why does Flask force us to set this secret_key property?
• How does Flask use the secret_key property?

推荐答案

任何需要加密(以防止攻击者篡改)的内容都需要设置密钥.对于只是 Flask 本身，任何东西"都是 Session 对象，但其他扩展可以使用相同的秘密.

Anything that requires encryption (for safe-keeping against tampering by attackers) requires the secret key to be set. For just Flask itself, that 'anything' is the Session object, but other extensions can make use of the same secret.

secret_key只是为SECRET_KEY配置键设置的值，也可以直接设置.

secret_key is merely the value set for the SECRET_KEY configuration key, or you can set it directly.

快速入门中的会话部分 有关于什么样的您应该设置的服务器端机密.

The Sessions section in the Quickstart has good, sane advice on what kind of server-side secret you should set.

加密依赖于秘密；如果您没有为要使用的加密设置服务器端机密，那么每个人都可以破解您的加密；它就像你电脑的密码.秘密加上要签名的数据用于创建签名字符串，这是一个难以使用 密码散列算法；只有当您拥有完全相同的秘密和原始数据时，您才能重新创建此值，让 Flask 检测是否有任何内容未经许可被更改.由于 Flask 发送给客户端的数据中永远不会包含机密，因此客户端无法篡改会话数据并希望生成新的有效签名.

Encryption relies on secrets; if you didn't set a server-side secret for the encryption to use, everyone would be able to break your encryption; it's like the password to your computer. The secret plus the data-to-sign are used to create a signature string, a hard-to-recreate value using a cryptographic hashing algorithm; only if you have the exact same secret and the original data can you recreate this value, letting Flask detect if anything has been altered without permission. Since the secret is never included with data Flask sends to the client, a client cannot tamper with session data and hope to produce a new, valid signature.

Flask 使用 itsdangerous 库 来完成所有繁重的工作；会话使用 itsdangerous.URLSafeTimedSerializer 类自定义 JSON 序列化器.

Flask uses the itsdangerous library to do all the hard work; sessions use the itsdangerous.URLSafeTimedSerializer class with a customized JSON serializer.

这篇关于揭秘 Flask app.secret_key的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！