常量Flask会话ID [英] Constant Flask Session IDs

问题描述

我有一个 Flask 应用程序，与Nginx + WSGI（FastCGI& Gevent）一起提供，并使用标准的Flask会话。我不使用 session.permanent = True 或其他任何额外的选项，只要设置 SECRET_KEY


我不是在会话中保存任何（键，值）对，只依赖于 SID = session ['_ id'] 条目来识别返回的用户。我使用下面的代码读取 SID ：

  @page。 （'/'）
 def main（page ='home'，template ='index.html'）：
 
如果不是request.args.get（'silent'，False） ：
 print>> sys.stderr，Session ID：％r％session ['_ id'] 
  

以下的观察：



1. 对于相同的IP地址，不同的浏览器，我得到不同的 SID - 这是预期的;
   
2. 对于不同的IP&同样的浏览器我也有不同的 SIDs - 预期;
   
3. 对于相同的浏览器IP地址我得到相同的现在，点（3）很有意思，因为即使一个 删除相应的cookie SID 仍然是常量！在某种程度上甚至可能是可以理解的，但实际上我期望 SID 可以在不同的cookie之间切换。但我看到的唯一区别是，
   
   

     session.new是真的
     
    pre> 
    
    
   为第一个第一个请求之后立即删除的cookie。即使这是非常期望的。但鉴于这些事实，我面临以下问题： 
    
    
    
    
    
   这是否意味着对于不同的用户（相同的浏览器配置），我的后端会把它们误认为是 相同的用户？
     
    <如果点（1）不是这种情况，那么这些粘性会话的当前行为实际上相当令人愉快，因为这避免了我的用户可能因为这个原因而丢失数据的情况他们删除了相应的cookie。
    
    
   通过使用相同的浏览器在同一网络上重新访问网站，他们仍然可以节省一天的时间。我喜欢，但只有 点（1）不是情况。 我假设点（1）实际上会咬我，结论实际上是保存一个令牌在会话中，因此接受用户可以自杀的命运，通过简单的删除他的cookie？  
    
    
   或者有办法告诉 Flask 给不同的 SIDs / code>为每个新鲜的cookie？
     
     
    
    
   实际上，负载影响服务，它模拟不同的用户（在相同的IP），但我的后端不断看到他们作为一个单一的用户，因为相应的 SIDs 都是一样的。
    
    
    
   该应用程序可在 http ：//webed.blackhan.ch （它在发布后会将  https://notex.ch  a>  [基于浏览器的文本编辑器]）。感谢您的回答。
   解决方案
   看起来您正在使用Flask-Login扩展。下面是生成id标记的代码：
    
    
     def _create_identifier（）：
   ase = unicode（％s | ％s％（request.remote_addr，
    request.headers.get（User-Agent）），'utf8'，errors ='replace'）
    hsh = md5（）
    hsh.update（base.encode（utf8））
    return hsh.digest（）
     
    
    
    <基本上只是 md5（ip_address + user_agent）。
    
    
    
    Flask使用 Werkzeug的安全cookie 来存储这个标识符。安全cookie（顾名思义）是安全的： 
    
    
    
    
   这个模块实现了一个不能从客户端改变的cookie，因为它添加了校验和服务器检查。您可以使用它作为会话替换，如果你只有一个用户ID或标记登录用户。
    
    
   I've a Flask application, served with Nginx+WSGI (FastCGI & Gevent) and use standard Flask sessions. I do not use the session.permanent=True or any other extra option, but simply set SECRET_KEY in the default configuration.
   
   I do not save any (key,value) pairs in the session, and only rely on the SID = session['_id'] entry to identify a returning user. I use the following code the read the SID:
   @page.route ('/')
   def main (page='home', template='index.html'):
   
       if not request.args.get ('silent', False):
           print >> sys.stderr, "Session ID: %r" % session['_id']
   I made the following observations:
   
   For same IP addresses, but different browsers I get different SIDs - that's expected;
   For different IPs & same browser I again have different SIDs - expected;
   For same IP address with same browser I get same SID - also expected;
   Now, point (3) is interesting because even if a delete the corresponding cookie the SID remains constant! To some extent even that might be understandable, but actually I was expecting the SID to change between different cookies. But the only difference I see is that 
   session.new is True
   for the first request immediately after the deletion of the cookie. Even that is very much expected; but given these facts I face the following problems:
   
   Does this mean that for different users sitting behind the same IP (with the same browser configuration) my back-end will mistake them for the same user?
   If point (1) is not the case, the current behavior of these "sticky" sessions is actually quite pleasant, since this avoids the situation where my users might loose there data just because they deleted the corresponding cookie.
   
   They can still save the day, by revisiting the site from the same network with the same browser. I like that, but only if point (1) is not the case.
   I assume point (1) will actually bite me, would the conclusion actually be to save a token in the session and hence accept the fate that the user can blow himself up, by simply deleting his cookie?
   Or is there a way to tell Flask to give different SIDs for each fresh cookie?
   Actually, this question arouse since I used a load impact service, which was simulating different users (on the same IP) but my back-end kept seeing them as a single user since the corresponding SIDs were all the same.
   
   The application is available for tests at http://webed.blackhan.ch (which upon release will move the https://notex.ch [a browser based text editor]). Thank you for your answers.
   解决方案
   It looks like you're using the Flask-Login extension. Here's the code that generates the id token:
   def _create_identifier():
       base = unicode("%s|%s" % (request.remote_addr,
                                 request.headers.get("User-Agent")), 'utf8', errors='replace')
       hsh = md5()
       hsh.update(base.encode("utf8"))
       return hsh.digest()
   It's basically just md5(ip_address + user_agent).
   
   Flask uses Werkzeug's secure cookies to store this identifier. Secure cookies are (as their name suggests) secure:
   
     
   This module implements a cookie that is not alterable from the client because it adds a checksum the server checks for. You can use it as session replacement if all you have is a user id or something to mark a logged in user.
   
   
                           
   这篇关于常量Flask会话ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！