cookie:
response = HttpResponse()
response.set_signed_cookie("signed_cookie_name","signed_cookie_value","salt")
cookie,:
Name :signed_cookie_name
Value :signed_cookie_value:1fPSBW:_JLMVkTZzxZe7aZr7KyjXwrsBBs
value,??
cookie:
response = HttpResponse()
response.set_signed_cookie("signed_cookie_name","signed_cookie_value","salt")
cookie,:
Name :signed_cookie_name
Value :signed_cookie_value:1fPSBW:_JLMVkTZzxZe7aZr7KyjXwrsBBs
value,??
Django is designed like this.
signed_cookie is just a signed cookie, not an encrypted cookie.
signed_cookie is to prevent users from compiling it privately. Reference: Securing Web Cookies With Signatures
So once I've logged in, we set a username cookie containing "Michael Brunton-Spall", or uid=1 or something.
The problem with this is that the user is in total control of this cookie
simply recording uid or user name is easy to be tampered with in cookie (which is also the reason why it is not recommended to record user sensitive information in cookie). In case an attacker replaces uid=1
with uid=2
, won't he be able to access uid=2
user's resources? If it is replaced by uid=2:1fPjh2:iQGDDYNcgSYkIFqa2ixqakj6-gI
, then the server not only verifies uid
, but also verifies the signature field after uid=2
, that is, it calls HttpRequest.get_signed_cookie (key=key, salt=salt)
, so that even if the user changes the value in cookie to uid=2
, but does not sign, the server still refuses to access resources.
in addition, the cookie signature of Django is Base64_with_hmac
. Refer to Source code for django.core.signing
if you need to set the encrypted value, in cookie, you need to encrypt the value by yourself (as if it can only be symmetrical encryption), for example, use hashlib.sha256
{reference: python.org/3/library/hashlib.html" rel=" nofollow noreferrer "> hashlib-Secure hashes and message digests }:
Introduction to JSON Web Tokens also exposes information to users (but ordinary users cannot see the information directly through token, need a little encryption and decryption, and it is impossible for users to modify the encrypted content).
needs to fundamentally prevent man-in-the-middle attacks, and https would be a wise choice.
that s the question. I ve been looking for it on the Internet for a long time, but I can t find it. for example, I want to query SQL: select a from atable,btable where atable.id=btable.id an is the field of atable and b is the field of btable. B...
query the data in this way user_add1 = UserAddress.objects.filter(id=int(add_id)) then serialize json_data = serializers.serialize("json", user_add1, ensure_ascii=False) return json return HttpResponse(json.dumps(json_data), content_t...
as shown in the figure, a simple add and query operation takes up to 1 second [environment: windows + python3 + django2]. (the amount of data in PS: is not much, and todo_list has only 2 rows of data, which is still so slow.) def get(request): -...
wrote a blog, tags has to be loaded every page, so use template inheritance, inherited there is no data, is there any good way? I can think of a global variable or decorator. Does Django have a better solution? ...
We know that there are good ways to localize data such as localStorage,sessionStorage in HTML5. So what are some convenient ways to localize data in Django? ...
according to the book "python programming from introduction to practice ", after modifying the models.py, execute the command python manage.py makemigrations learning_logs, to report an error and ask for advice. model.py Code from django.db import...
define in models.py jiezhi_date = models.DateTimeField (blank = True, null = True, db_index = True, verbose_name = _ (u information cutoff )) in the template: < div style= "color:-sharpA8B1BA; " class= "text " > deadline: {{form.jiezhi_date}}...
Novice django, deletes the uploaded picture in the admin background only deletes the record of the database, but the picture still exists in the media img folder. How to deal with this? models.py class HomePageProductPictureDisplay(models.Model): d...
as shown in the picture, how can I delete it if I don t want to see it in the admin sidebar? seems to exist by default. ...
I want to make a book classification there are two categories: (id(), name) (id(), fist_type(), name) there is also a book information table () when you want to add book information in the xadmin background, select the first category first, and th...
how does django import tets.py data when conducting automated testing? I export the contents of the database as api.json. Then import to the unit test database, but the unit test database does not have data, what is wrong? where the json file of the...
I want to use django-mama-cas to complete the CAS login, but the login module that comes with the system is a little too simple. I want to add something by myself, but Form cannot set its own defined Form (LOGIN Template in the setting file. I would li...
first of all, when the user logs in, I want to display the user s information and get the data in the profile_ajax view. This corresponds to html html formuid . Here is the problem. I click here to view the details. Will the ajax of html not enter th...
how to use js post to django data in django to receive JS similar to this str = {"student":[{"number":"0","name":"a"}]} ; obj = JSON.parse(str); look at the data in chrome like this [student][0][...
Task: create study notes-map URL Code: urls.py "define URL schema for learning_logs " from django.conf.urls import url from. Import views urlpatterns = [] -sharp url(r ^$ ,views.index,name = index ), ] execution tips are as follows: ...
secret_key cannot be empty ...
I directly enter the address http: 127.0.0.1:8000 boycott ajaxTot can be opened, but the address that jumps through httpResponseRedirect is wrong? I thought I understood the routing system of django, but this example confused myself why it appeared ...
Save Times error after adding data NOT NULL constraint failed:booktest_bookinfo.bpub_data Source code class BookInfo(models.Model): btitld=models.CharField(max_length=20) bpub_data=models.DateTimeField() class HeroInfo(models.Model): hna...
Nginx and uwsgi are installed, tested, no problem, and then when using uwsgi to start the django project, using the browser to view the project will have the problem that static files cannot be loaded. No matter how to configure it, I can t do it well....
suppose I have the following code: from django.contrib.auth.models import User us = User.objects.all() -sharp idis_active v1 = us.values("id", "is_active") -sharp ( User ): other= hehe -sharp [{"id": 1, "is_a...