Django uses the cookie, set by set_signed_cookie () to display the value that is not encrypted.

cookie:
    response = HttpResponse()
    response.set_signed_cookie("signed_cookie_name","signed_cookie_value","salt")

cookie,:
    Name :signed_cookie_name
    Value :signed_cookie_value:1fPSBW:_JLMVkTZzxZe7aZr7KyjXwrsBBs

 value,??
Mar.16,2021

Django is designed like this.
signed_cookie is just a signed cookie, not an encrypted cookie.

The function of

signed_cookie is to prevent users from compiling it privately. Reference: Securing Web Cookies With Signatures

So once I've logged in, we set a username cookie containing "Michael Brunton-Spall", or uid=1 or something.
The problem with this is that the user is in total control of this cookie

simply recording uid or user name is easy to be tampered with in cookie (which is also the reason why it is not recommended to record user sensitive information in cookie). In case an attacker replaces uid=1 with uid=2 , won't he be able to access uid=2 user's resources? If it is replaced by uid=2:1fPjh2:iQGDDYNcgSYkIFqa2ixqakj6-gI , then the server not only verifies uid , but also verifies the signature field after uid=2 , that is, it calls HttpRequest.get_signed_cookie (key=key, salt=salt) , so that even if the user changes the value in cookie to uid=2 , but does not sign, the server still refuses to access resources.

in addition, the cookie signature of Django is Base64_with_hmac . Refer to Source code for django.core.signing

.

if you need to set the encrypted value, in cookie, you need to encrypt the value by yourself (as if it can only be symmetrical encryption), for example, use hashlib.sha256 {reference: python.org/3/library/hashlib.html" rel=" nofollow noreferrer "> hashlib-Secure hashes and message digests }:

  Introduction to JSON Web Tokens  also exposes information to users (but ordinary users cannot see the information directly through token, need a little encryption and decryption, and it is impossible for users to modify the encrypted content). 
needs to fundamentally prevent man-in-the-middle attacks, and https would be a wise choice.

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1b34f33-2bf3c.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1b34f33-2bf3c.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?