Flask-Session扩展与默认会话 [英] Flask-Session extension vs default session

问题描述

我正在使用:

from flask import session

@app.route('/')
def main_page():
    if session.get('key'):
        print ("session exist" + session.get('key'))
    else:
        print ("could not find session")
        session['key'] = '34544646###########'
    return render_template('index.html')

我没有安装Flask-Session扩展，但是仍然可以正常工作.我正在尝试了解该扩展为何以及何时对我造成影响.据我所知，默认会话对我来说效果很好.

I don't have the Flask-Session extension installed but this still works fine. I'm trying to understand why and when is that extension imp to me. As far as I see, the default session works well for me.

推荐答案

区别在于会话数据的存储位置.

The difference is in where the session data is stored.

Flask的会话是客户端会话.您写入会话的任何数据都将写入cookie，并发送到客户端进行存储.客户端将在每次请求时将cookie发送回服务器，这就是您在会话中写入的数据如何在后续请求中保持可用的方式. Cookie中存储的数据经过加密签名，以防止篡改.配置中的SECRET_KEY设置用于生成签名，因此，只要您的私钥保持私有状态，客户端会话中的数据就很安全.请注意，在这种情况下，安全意味着会话中的数据不能被潜在的攻击者修改.知道外观的任何人仍然可以看到该数据，因此您永远不应在客户端会话中写入敏感信息.

Flask's sessions are client-side sessions. Any data that you write to the session is written to a cookie and sent to the client to store. The client will send the cookie back to the server with every request, that is how the data that you write in the session remains available in subsequent requests. The data stored in the cookie is cryptographically signed to prevent any tampering. The SECRET_KEY setting from your configuration is used to generate the signature, so the data in your client-side sessions is secure as long as your secret key is kept private. Note that secure in this context means that the data in the session cannot be modified by a potential attacker. The data is still visible to anybody who knows how to look, so you should never write sensitive information in a client-side session.

Flask-Session和Flask-KVSession是Flask的两个扩展，实现了服务器端会话.从应用程序的角度来看，这些会话的工作方式与Flask本机会话完全相同，但是它们将数据存储在服务器中.数据永远不会发送到客户端，因此安全性有所提高.客户端仍会收到签名的cookie，但是cookie中唯一的数据是会话ID ，该ID引用存储数据的服务器中的文件或数据库索引.

Flask-Session and Flask-KVSession are two extensions for Flask that implement server-side sessions. These sessions work exactly in the same way as the Flask native sessions from the point of view of your application, but they store the data in the server. The data is never sent to the client, so there is a bit of increased security. The client still receives a signed cookie, but the only data in the cookie is a session ID that references the file or database index in the server where the data is stored.

这篇关于Flask-Session扩展与默认会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！