使Flask中的旧会话无效 [英] Invalidate an old session in Flask
问题描述
如何使用 make_null_session()或 open_session()?
调用 编辑: 在阅读另一个答案的评论后,我看到您试图阻止可能使用过去发布的cookie进行的重播攻击。我用这种方法尽可能地解决了这个问题: 复制自定义 *警告:这种方法本身并不能阻止重放攻击在会话cookie的有效生命期内发生。这个基于cookie的会话的基本问题在 RFC 6896 和。 How do I create a new clean session and invalidate the current one in Flask? Do I use I do this by calling EDIT: After reading your comment in another answer, I see that you're trying to prevent a replay attack that might be made using a cookie that was issued in the past. I solved that problem as much as possible* with this approach: Duplicating Flask code in the custom *WARNING: This approach by itself will not stop replay attacks that might happen during a session cookie's valid lifetime. This fundamental problem with cookie-based sessions is discussed in RFC 6896 and A Secure Cookie Protocol by Liu, Kovacs, Huang, Gouda. 这篇关于使Flask中的旧会话无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋! session.clear() 调用
$ b $ ul
重载SecureCookieSessionInterface.save_session(),从被覆盖的版本复制代码
save_cookie(),使它将来30分钟内传递 session_expires 参数。这导致超过30分钟的cookie被认为是无效的。 使每个 session_expires 时间被定期重写。 (我将这个会话变量命名为_refresh,并将当前时间存储在其中,然后只有在自上次存储时间以来已经超过了几秒的时间后才重写它,这样可以避免在每个HTTP请求上重写cookie) li>
save_session()中的Flask代码使得这种方法有点难看,易碎,但是为了改变传递给 save_cookie()的参数是必要的。如果Flask变得更简单了,或者至少实现了防御重放攻击的话,这将是一件好事。
make_null_session() or open_session()?session.clear().
save_session() calls save_cookie(), make it pass a session_expires argument 30 minutes in the future. This causes cookies more than 30 minutes old to be considered invalid.save_session() update a session variable every so often, to make sure the cookie and its session_expires time get rewritten regularly. (I name this session variable '_refresh' and store the current time in it, then rewrite it only if more than a few seconds have passed since the last-stored time. This optimization avoids rewriting the cookie on every HTTP request.)save_session() makes this approach a bit ugly and brittle, but it is necessary in order to change the arguments passed to save_cookie(). It would be nice if Flask made this easier, or at least implemented its own safeguard against replay attacks.
