Pyramid.security问题：双cookie？不安全的饼干？到期？ [英] Pyramid.security questions: Double cookies? Insecure cookies? Expiration?

问题描述

我正在第一次进入金字塔安全模块。我使用这个登录代码设置auth_tkt：

  @view_config（route_name ='LoginForm'，request_method ='POST' ，renderer ='string'）
 class LoginForm（SimpleObject）：
 def __call __（self）：
 
 emailAddress = self.request.params.get（'emailAddress'）
 password = self.request.params.get（'password'）
 
如果emailAddress！='testemail@gmail.com'或password！='testpassword'：
 errorDictionary = {'message'：电子邮件地址或密码错误。 } 
 self.request.response.status = 400 
 return json.dumps（errorDictionary，default = json_util.default）
 
 testUserGUID ='123123123'
 
 header = remember（self.request，testUserGUID）
 return HTTPOk（headers = headers）
  

它似乎工作确定，但有一些令人费解的细节：

首先，2个Cookie实际上设置而不是一个。除了一个区别之外，这两个cookie是相同的（两者都具有名称auth_tkt）：一个具有主机值.www.mydomain.com，而另一个cookie具有主机值www.mydomain.com为什么是设置2个Cookie而不是一个？

问题2，web工具报告没有cookie是安全的。我可以做些什么来确保cookie是安全的？

问题3：两个cookie的过期值都是在会话结束时。这是什么意思，我如何自定义到期值？

问题4：我不明白为什么记住的第一个参数是self.request，而不是self.request 。响应。

解决方案

1. p>实际上，生成3个cookie;一个没有域键，一个与和您的域的通配符版本的第三个（领先的点）。您的浏览器通常会合并两个或忽略其中之一（其中一个因浏览器而异，这就是为什么设置2）。
   
   
   

   最后一个cookie是在 AuthTktAuthenticationPolicy （默认为True）上设置code> wild_domain 选项;请参阅 AuthTktAuthenticationPolicy API 。如果您的身份验证cookie要在不同的子域之间共享（请考虑app1.domain，app2.domain），则需要这样做;




2. 您需要设置安全选项，您的验证策略的cookie以获取安全标志设置。同样，请参阅 API 。




3. 未设置过期，这意味着当您关闭浏览器（浏览器显示的会话结束）时，Cookie将被删除。如果您希望用户在关闭浏览器时退出登录，请将此默认值设为默认值。

   
   
   

   跨浏览器关闭，设置Cookie的最大年龄，请参阅 max_age latest / api / authentication.html> API 。此选项将导致浏览器将cookie存储在磁盘上，以在浏览器关闭之间保留，并在最大期限过后将其删除。

   
   
   

   请注意 AuthTktAuthenticationPolicy 策略对象可以通过限制认为任何认证cookie有效的时间来更细粒度地管理登录会话，并允许您设置cookie刷新策略。有了这样的刷新策略，用户将在继续使用您的应用程序时收到新的（刷新的）Cookie，但是如果他们在一段时间内没有连接到您的服务器，他们的Cookie将被视为无效，

   
   
   

   查看超时和 reissue_time 选项，请参阅 API文档中有关如何配置此选项的详细信息。 / p>




4. 策略对象需要请求中的几个信息才能生成Cookie，而不是所有服务器的主机名。

I'm taking my first foray into the Pyramid security module. I'm using this login code to set the auth_tkt:

@view_config(route_name='LoginForm', request_method='POST', renderer='string')
class LoginForm(SimpleObject):
    def __call__(self):

        emailAddress = self.request.params.get('emailAddress')
        password = self.request.params.get('password')

        if emailAddress != 'testemail@gmail.com' or password != 'testpassword':
            errorDictionary = { 'message' : "Either the email address or password is wrong." }
            self.request.response.status = 400
            return json.dumps( errorDictionary, default=json_util.default)

        testUserGUID = '123123123'

        headers = remember(self.request, testUserGUID)
        return HTTPOk(headers=headers)

It seems to work ok, but there are some puzzling details:

First of all, 2 cookies actually get set instead of one. The 2 cookies are identical (both with name "auth_tkt") except for one difference: one has a host value of ".www.mydomain.com" while the other cookie has a host value of "www.mydomain.com" Why are 2 cookies being set instead of one? What's the significance of the difference host values?

Question 2, web tools reports that neither cookie is secure. What can I do to make sure the cookie/s are secure?

Question 3: Both cookies have an expiration value of "At end of session". What does this mean and how can I customize the expiration value myself? What's the recommended practice for login cookie expiration times?

Question 4: I don't understand why the first argument of "remember" is self.request instead of self.request.response. Shouldn't the data be remembered on the response object, not the request object?

解决方案

1. Actually, 3 cookies are generated; one without a Domain key, one with, and a 3rd with the wildcard version of your domain (the leading dot). Your browser usually either merges the two or ignores one of those (which one differs by browser, which is why 2 are set).

   That last cookie is generated when the wild_domain option is set on the AuthTktAuthenticationPolicy (True by default); see the AuthTktAuthenticationPolicy API. You need this if your authentication cookie is to be shared between different subdomains (think app1.domain, app2.domain); your browser won't share cookies across subdomains without a wildcard cookie.

2. You need to set the secure option on your auth policy for cookies to get the secure flag set. Again, see the API.

3. No expiration is set, which means that the cookies are deleted when you close your browser (the end of the session your browser shows you). If you want your users to be logged out when they close the browser, leave this as the default.

   Only if you want sessions to last across browser closures, set a cookie maximum age, see the max_age option in the API. This option will cause browsers to store the cookie on disk to persist between browser closures, and delete them when the maximum age has passed.

   Do note that the AuthTktAuthenticationPolicy policy object can manage login sessions in a more fine-grained manner by limiting how long it'll consider any authentication cookie valid, and will let you set up a cookie refresh policy. With such a refresh policy in place users will receive new (refreshed) cookies as they continuing to use your application, but if they don't connect to your server within a set period of time, their cookie would be considered invalid and they would have to log in again.

   See the timeout and reissue_time options in the API documentation for more detail on how to configure this.

4. The policy object requires several pieces of information from the request to be able to generate the cookies, not least of all the host name of your server.

这篇关于Pyramid.security问题：双cookie？不安全的饼干？到期？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！