flask_session详细
简单说明:
flask_session可以这么说吧,flask原本的session是保存在浏览器cookie中的,这样就产生了一个很重要的问题,如果我们在session中不存敏感信息还好,如果存的是敏感信息那么信息安全是没有保障的,而flask_session可以让我们把session的值存储在redis/Memcached中。
将数据存储在redis/memcached中然后把所对应的key存放在用户的cookie中。
实现方式:
在flask源码中
def wsgi_app(self, environ, start_response): ctx = self.request_context(environ) ctx.push() error = None try: try: response = self.full_dispatch_request() except Exception as e: error = e response = self.handle_exception(e) except: error = sys.exc_info()[1] raise return response(environ, start_response) finally: if self.should_ignore_error(error): error = None ctx.auto_pop(error)
ctx.push()方法中有
|
1
2
3
|
self.session = self.app.open_session(self.request)if self.session is None: self.session = self.app.make_null_session() |
执行的是self.session_interface.open_session(self, request)、
这里的session_interface是flask中默认的,所以我们如果把默认的session_interface重新赋值那么open_session执行的就不会是flask中默认的session_interface而应该是我们重新赋值的类中的open_session
RedisSessionInterface源码解析:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
def open_session(self, app, request): # 从cookie中拿sid sid = request.cookies.get(app.session_cookie_name) if not sid: sid = self._generate_sid() # 生成一个特殊的字典 return self.session_class(sid=sid, permanent=self.permanent) if self.use_signer: signer = self._get_signer(app) if signer is None: return None try: sid_as_bytes = signer.unsign(sid) sid = sid_as_bytes.decode() except BadSignature: sid = self._generate_sid() return self.session_class(sid=sid, permanent=self.permanent) if not PY2 and not isinstance(sid, text_type): sid = sid.decode('utf-8', 'strict') val = self.redis.get(self.key_prefix + sid) if val is not None: try: data = self.serializer.loads(val) return self.session_class(data, sid=sid) except: return self.session_class(sid=sid, permanent=self.permanent) return self.session_class(sid=sid, permanent=self.permanent) |
可以看到大致是这么做的,
1.先从cookie中拿值,
2.判断是否cookie中sid是否存在
3.1如果不存在那么就返回一个特殊的字典
3.2如果有sid那么去redis中拿值,并用pickle反序列化,返回一个字典
当我们在视图函数中进行session操作的时候会调用save_session看看我们接着来看看save_session做了什么事:
def save_session(self, app, session, response):
domain = self.get_cookie_domain(app)
path = self.get_cookie_path(app)
# Delete case. If there is no session we bail early.
# If the session was modified to be empty we remove the
# whole cookie.
if not session:
if session.modified:
response.delete_cookie(app.session_cookie_name,
domain=domain, path=path)
return
# Modification case. There are upsides and downsides to
# emitting a set-cookie header each request. The behavior
# is controlled by the :meth:`should_set_cookie` method
# which performs a quick check to figure out if the cookie
# should be set or not. This is controlled by the
# SESSION_REFRESH_EACH_REQUEST config flag as well as
# the permanent flag on the session itself.
if not self.should_set_cookie(app, session):
return
httponly = self.get_cookie_httponly(app)
secure = self.get_cookie_secure(app)
expires = self.get_expiration_time(app, session)
val = self.get_signing_serializer(app).dumps(dict(session))
response.set_cookie(app.session_cookie_name, val,
expires=expires, httponly=httponly,
domain=domain, path=path, secure=secure)
拿到域名,和路径如果有路径判断是否有修改,此处会出现一个bug就是你在修改数据的时候,程序只会检测到你的第一级数据有没有变化,而不会检测到内部的字典是否发生了变化。
这时我们可以在views中self.session['modified'] = True
但是我们更加推荐另一种方式在配置文件中设置
SESSION_REFRESH_EACH_REQUEST = True
这样有一个好处每次都可以设置session而且可以刷新session的过期时间,在原生的session_interface中还要设置
session.permanent = True
而在我们设置的flask_session中就不用设置了默认为True
浙公网安备 33010602011771号