Flask客户端会话 [英] Flask client-side sessions
问题描述
我想知道安全的Web应用程序的客户端会话有多合适。从看起来,有一些严重的问题:
- 因为所有会话变量都被序列化并且被编码在一个cookie中,所以应该小心我们不知道相同的键/值集是否具有相同的序列化值,但是如果我在一个会话中获取并存储一个cookie值,我不能在另一个会话中将相同的值(尽管是加密的)反馈给另一个会话,并使服务器相信这些是真正的会话变量值?用户在一天内被允许做的事情并不意味着同一天再被允许。如果这些会话变量的值必须始终保持不变,将它们保存在缓存中有什么好处呢?然后他们提供更多的目的,而不是让我们使用漂亮的GET URL(即,而不是丑陋的查询字符串与一些参数)
,也许我正在寻找的答案是Flask客户端会话的限制,考虑到可能的中间人攻击(当然,对于非安全http会话),或者高级恶意用户将cookie值存储为在以后的时间将他们转回来。
解决方案-
我不认为你必须无论如何,担心cookie的大小不能存储超过4KB的数据。我非常怀疑你会得到任何接近于此的容易。
-
它与其他会话一样安全,因为您可以采取
PHPSESSIDcookie到其他浏览器,就像你可以这样做。没有什么阻止它。但是,这个问题有一些解决办法,你可以在时间限制之后过期。例如,请参阅这个问题。关于这个问题,这个问题很有用。
.pocoo.org / snippets / 86 /rel =nofollow noreferrer>数据库会话,如果你愿意的话。我确信还有其他的实现可以找到。 -
- Since all the session variables are serialized and encoded in a cookie one should be careful with how much data they store there, in order to keep the size of http data travelling back and forth in reasonable size.
- I'm not sure if identical key/value sets have identical serialized values, but if I'd fetch and store a cookie value in one session, can't I feed the same, albeit encrypted, value back in another session in another time, and make the server believe those are genuine session variable values? What user is allowed to do in one day doesn't mean the same thing is allowed another day. And if those session variable values have to be secure-proofed all the time, what good is from keeping them "in cache" at all? Then they serve little more purpose than letting us to use pretty GET URLs (ie, instead of ugly query string with some parameters)
I don't think you have to worry about the size as a cookie can't store more than 4KB of data anyway. I highly doubt you'll get anywhere close to that easily.
It's just as secure as other sessions, as in you can probably take the
PHPSESSIDcookie to some other browser and have it work just as you can do it with this. Nothing prevents it. However there are workarounds this issue, you can have it expire after a time limit. See this question for example. It has useful answers regarding this issue.
编辑: 这里有一些其他的。
Starting to learn Python's Flask web app framework, still on the learning curve, so please bear with me.
I am wondering how appropriate are the client-side sessions for secure web application purposes. From what it seems, there are some serious concerns:
So, perhaps the answer I am looking for, is the limits of Flask client-side sessions, considering possible man-in-the-middle attack (for non-secure http sessions, of course) or advanced malicious user who stores the cookie values for relaying them back at later time.
You can always use a database session if you so desire. I'm sure there are other implementations you can find too.
Edit: Here are some others.
这篇关于Flask客户端会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
