在Django视图之外访问会话/请求信息 [英] Access session / request information outside of views in Django
问题描述
我需要存储来自某些非django应用程序的特殊Cookie。我可以在视图中执行此操作
request.session [special_cookies'] = special_cookies
但是在非视图py文件中,我需要访问这个特殊的cookie。
根据文档,我可以这样做
>>>来自django.contrib.sessions.backends.db import SessionStore
>>> import datetime
>>>> s = SessionStore(session_key ='2b1189a188b44ad18c35e113ac6ceead')
>>> s ['last_login'] = datetime.datetime(2005,8,20,13,35,10)
>>> s ['last_login']
datetime.datetime(2005,8,20,13,35,0)
>>> s.save()
如果我不提供会话密钥,Django将为我生成一个。
我关心获得许多新会话密钥的效果。 (我不认为这是很好的,当你有多个用户,对...?)
我希望用户将这个特殊的cookies绑定到用户的会话。 ,我不想将其保存在用户配置文件中,因为出于安全原因。这个cookie是在我们登录时产生的(我们的应用程序会发送这个特殊的cookie)。我们希望在整个浏览会话中发送这个cookie。
我应该如何解决这个问题?
非常感谢!
#views.py
request.session ['special_cookies'] = library.get_special(user,pwd)
#library.py
def get_special_cookies(user,pwd):
res = get_special_cookies( http://foobar.com/api/get_special_cookies,user,pwd)
#foobar.py(也是非视图)
def do_this(user,special_cookies)
我很确定这很好....
#views_2.py
def dummy_views(request):
foobar.do_this(request.user,request.session ['special_cookies'])
但有些情况下,我不想通过视图/调用get_sepcial_cookies获取特殊的Cookie。我想要它贯穿整个过程。或者是我反思..?
为了解释为什么你处于危险的路径,我们必须记住为什么服务器首先发明的边会话:
HTTP是一个无状态协议。无状态协议不需要服务器在多个请求的持续时间内保留关于每个用户的信息或状态。例如,当需要web服务器来定制用户的网页的内容时,web应用可能必须从一页到另一个页面跟踪用户的进度。一个常见的解决方案是使用HTTP cookie。其他方法包括服务器端会话,隐藏变量(当前页面包含表单)和使用URI编码参数的URL重写。
< Django是一个非常成熟的框架;如果Django中有些目标似乎很难完成,那么您可能会采取错误的方法来解决问题。即使您可以直接在会话后端存储服务器端会话信息,似乎对我来说设计不好,因为会话数据在请求外不相关。
您需要在应用程序之间共享身份验证/授权数据,您应该考虑像 OAuth ,否则您最终会有一些不安全,脆弱,丑陋和难以支持的东西。
(抱歉,如果我听起来很高兴,英语不是我的本土成语)。
[更新]
非常感谢你。我相信我的团队不想引入OAuth或任何额外的授权手段。但是您是否将此特殊Cookie插入HttpResponse.COOKIES?
如果你真的想要这样做一些话:
- 您将受到同一域限制(其他应用程序应位于同一个TLD中)。
- 您应该使用某种签名来避免篡改cookies
这是一个比request.session更好的解决方案吗?
有更多的机制来处理这种问题。例如:
我无法提供更具体的解决方案没有关于您的目标的进一步细节,但是使用这些钩子,您可以避免重复代码来测试每个视图中的外部Cookie - 但请注意,与Cookie相关的所有内容都与请求/响应上下文相关联,并且在其外部没有任何意义。 >
I need to store a special cookies that is coming from some non-django applications. I can do this in views
request.session[special_cookies'] = special_cookies
But in the non-views py files, I need to access this special cookies.
According to docs, I can do this
>>> from django.contrib.sessions.backends.db import SessionStore
>>> import datetime
>>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
>>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10)
>>> s['last_login']
datetime.datetime(2005, 8, 20, 13, 35, 0)
>>> s.save()
If I don't supply the session key, Django will generate one for me. I am concerned about the effect of getting many new session keys. (I don't think this is good when you have multiple users, right...?)
I want a user to have this special cookies binded to a user's session. However, I do not want to save this in a user profile, because for security reason. This cookie is generated when we login (our application will send in this special cookies). We want to send this cookie back and forth throughout the browsing session.
How should I go about solving this?
Thank you very much!
#views.py
request.session['special_cookies'] = library.get_special(user, pwd)
#library.py
def get_special_cookies(user, pwd):
res = get_special_cookies("http://foobar.com/api/get_special_cookies", user, pwd)
#foobar.py (also non-views)
def do_this(user, special_cookies)
I am pretty sure this is fine....
#views_2.py
def dummy_views(request):
foobar.do_this(request.user, request.session['special_cookies'])
But there are instances where I don't want to get my special cookies through views / calling get_sepcial_cookies. I want it to last throughout. Or am I overthinking..?
In order to explain why you are in a dangerous path, we have to remember why server side sessions where invented in the first place:
HTTP is a stateless protocol. A stateless protocol does not require the server to retain information or status about each user for the duration of multiple requests. For example, when a web server is required to customize the content of a web page for a user, the web application may have to track the user's progress from page to page. A common solution is the use of HTTP cookies. Other methods include server side sessions, hidden variables (when the current page contains a form), and URL-rewriting using URI-encoded parameters.
Django is a very mature framework; if some goal seems hard to accomplish in Django, probably you are taking the wrong approach to the problem. Even if you can store server side session information directly at the session backend, it seems like bad design for me, because session data is not relevant outside requests.
IMHO, if you need to share authentication/authorization data among applications, you should really consider something like OAuth, otherwise you will end up with something insecure, fragile, ugly and hard to support.
(sorry if I sound condescending, English is not my native idiom).
[update]
Hi Paulo. Thank you very much. I believe my team doesn't want to introduce OAuth or any sort of extra layer of authetication mechaicism. But are you against inserting this special cookies into HttpResponse.COOKIES?
A few remarks if you you really want to go this way:
- you will be constrained by the "same domain" restriction (the other application should reside in the same TLD)
- you should use some sort of signing to avoid tampering with the cookies
Is that a better solution than request.session?
There are some mechanisms to deal with this kind of problem at a higher level. For example:
- if you want to make a variable present at every template context based on the value of some cookie, you can write a custom context processor.
- if you want to reroute views depending on the presence of a cookie, you should write a custom middleware.
I can't provide a more specific solution without further details about your goals, but using these hooks you can avoid repeating code to test for the external cookie in every view - note however that everything concerning cookies is tied to the request/response context and makes no sense outside it.
这篇关于在Django视图之外访问会话/请求信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
