Django请求有时不包含基于SSL的会话

时间:2019-12-17 15:17:10

标签: python django session ssl web-applications

我在Django Web应用程序上遇到了一些奇怪的事情,我在数据库上使用会话来跟踪用户会话,但是似乎在SSL上这些会话并没有存在,我没有很多东西提示原因,但是我有证据证明它是如何发生的。

我的主要问题是,我认为如果登录后将您重定向到索引,而在索引中,如果您未登录,则将您重定向到登录屏幕,那么会发生什么这是登录后,服务器会将我重定向到索引页面,但是索引将在会话中检查“登录”参数是否为“无”,然后在登录表单上再次检查该会话,并且实际上用户登录,因此我进入了无限重定向循环,不久之后chrome表示页面重定向次数过多。

这是我的设置。py

"""
Django settings for rienpaAdmin project.

Generated by 'django-admin startproject' using Django 2.2.6.

For more information on this file, see
https://docs.djangoproject.com/en/2.2/topics/settings/

For the full list of settings and their values, see
https://docs.djangoproject.com/en/2.2/ref/settings/
"""

import os

# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))


# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/2.2/howto/deployment/checklist/

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'SecretKey'

# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = False

ALLOWED_HOSTS = ['lodugo.com', 'www.lodugo.com']


# Application definition

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'main.apps.MainConfig',
]

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

ROOT_URLCONF = 'rienpaAdmin.urls'

TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'DIRS': [],
        'APP_DIRS': True,
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                'django.contrib.messages.context_processors.messages',
            ],
        },
    },
]

SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'
SESSION_COOKIE_DOMAIN = 'lodugo.com'
SESSION_COOKIE_SECURE = True
SESSION_SAVE_EVERY_REQUEST = True
SESSION_COOKIE_NAME = 'lodugo'
CSRF_COOKIE_SECURE = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_HSTS_SECONDS = 15552000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
X_FRAME_OPTIONS = "DENY"
SESSION_COOKIE_AGE=7776000
SESSION_EXPIRE_AT_BROWSER_CLOSE=False



WSGI_APPLICATION = 'rienpaAdmin.wsgi.application'


# Database
# https://docs.djangoproject.com/en/2.2/ref/settings/#databases

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql_psycopg2',
        'NAME': 'DatabaseName',
        'USER': 'USER',
        'PASSWORD': 'PASSWORD',
        'HOST': 'localhost',
        'PORT': '',
    }
}


# Password validation
# https://docs.djangoproject.com/en/2.2/ref/settings/#auth-password-validators

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]


# Internationalization
# https://docs.djangoproject.com/en/2.2/topics/i18n/

LANGUAGE_CODE = 'en-us'

TIME_ZONE = 'UTC'

USE_I18N = True

USE_L10N = True

USE_TZ = True


# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/2.2/howto/static-files/

STATIC_URL = '/static/'

这是我的views.py 

def app_admin(request: HttpRequest) -> HttpResponse:
    if (request.session.get('logged_in', False)) is not True:
        authentication = "false"
        if request.method == "POST":
            post: QueryDict = request.POST
            firebase_manager = FirebaseManager()
            result = firebase_manager.user_login(post.get('email'), post.get('password'))
            if result:
                messages.success(request, "Ingreso correcto")
                request.session['firebase_session'] = firebase_manager.save_session()
                authentication = "true"
            elif firebase_manager.error_message == "EMAIL_NOT_FOUND":
                messages.error(request, "Error: Esta cuenta no existe")
            elif firebase_manager.error_message == "INVALID_PASSWORD":
                messages.error(request, "Error: Contraseña incorrecta")
            else:
                messages.error(request, "Error: Ocurrio un error inesperado," +
                               " por favor intentalo de nuevo")
        return render(request,
                      "main/login.html",
                      context={"auth": authentication})
    return redirect("main:index")

def load_user(request: HttpRequest) -> HttpResponse:
    if request.method == "POST":
        firebase_manager = FirebaseManager()
        firebase_manager.load_session(request.session['firebase_session'])
        user_data = firebase_manager.user_data()
        request.session['user_data'] = user_data
        request.session['logged_in'] = 'true'
        return HttpResponse("Done")
    raise Http404

def index(request: HttpRequest) -> HttpResponse:
    chart_ready = "true"
    if request.session.get('logged_in', False) is True:
        user = User()
        user.load_data(request.session['user_data'])
        return render(request, "main/admin_main_screen.html", context={"user": user, "chart_ready": chart_ready})
    return redirect("main:appadmin")

def logout(request: HttpRequest) -> HttpResponse:
    if request.method == "POST":
        del request.session['user_data']
        del request.session['logged_in']
        del request.session['firebase_session']
        request.session.clear()
        request.session.flush()
        return HttpResponse("Done")
    raise Http404

其中app_admin方法是我的登录表单,而索引是我的索引。

我检查了会话中'logged_in'键的输出,输出为:

None #First load of the login form
None #Second load over the POST method
None #Result over the Index page after redirected with AJAX
True #Result from login form after being redirected
None #Result from index, not getting the session
True #Result from login again, redirects again to index
None #Result over index, redirects again to login

如您所见,我的项目是在Django 2.2上创建的,但是我使用的是Django 3.0,并且我还将posgreSQL用作数据库。通过HTTP在我的开发服务器上可以正常工作

编辑:我测试了输出另一个会话密钥,例如'firebase_session'密钥,并且无论如何我似乎总是能得到正确的值,但对于'logged_in'却不是,这是很好的线索,但仍然需要弄清楚发生了什么

EDIT2:我没有使用会话密钥“ user_data”进行测试,因为它是JSON作为firebase_session密钥,但是,有时,此user_data也显示为None,只有firebase_session一直存在,我真的不知道为什么< / p>

1 个答案:

答案 0 :(得分:1)

钉了它。仔细阅读有关缓存会话(here)的文档,您会发现一条警告,阐明了缓存数据库会话和只是数据库会话是不相同的,此外,还有一条警告说本地缓存会话不相同。多进程安全,并且不利于生产,这是引用:

  

警告

     

仅在使用Memcached缓存后端时,才应使用基于缓存的会话。本地内存缓存后端无法保留足够长的数据,因此不是一个很好的选择,直接使用文件或数据库会话比通过文件或数据库缓存后端发送所有内容会更快。此外,本地内存缓存后端不是多进程安全的,因此对于生产环境而言可能不是一个好选择。

因此,由于此提示,我将settings.py上的会话类型从以下位置更改了:

'django.contrib.sessions.backends.cached_db'


'django.contrib.sessions.backends.db'

一切正常。这没有使用memcached后端,这似乎是Django最好的方法,因为它使用了物理内存,我将在以后尝试,因为这是正确使用cached_db后端的正确方法。

相关问题
最新问题