通過redis的seesion對cookie信息加密 --- 防止cookie記錄的用戶信息泄露
import tornado.ioloop import tornado.web from data.table_1 import User from tornado.web import authenticated # 裝飾器判斷是否登錄,否者就跳轉到登陸頁面。通過application配置跳轉路徑 from pycket.session import SessionMixin # 設置redis加密cookie的一個類,BaseHandler繼承 import tornado.options import tornado.httpserver from tornado.options import define, options define('port',default=8000, help='run port', type=int) define('version', default=0.1, help='version', type=str) # 裝飾器authenticated需要的Base類 通過redis加密需要繼承這個SessionMixin class BaseHandler(tornado.web.RequestHandler, SessionMixin): def get_current_user(self): # 改寫Base類的這個方法 # current_user = self.get_secure_cookie('ID') current_user = self.session.get('ID') if current_user: return current_user return None # redis加密時,Login繼承Base class LoginHandler(BaseHandler): def get(self): nextname = self.get_argument('next','') self.render('login_1.html', nextname=nextname, error='' ) def post(self, *args, **kwargs): name = self.get_argument('name','') password = self.get_argument('password','') username = User.by_name(name) nextname = self.get_argument('next','') print(name, password, nextname) if username and username.password==password: self.session.set('ID',name) # session為redis的會話,設置redis的加密cookie if nextname: self.redirect(nextname) else: self.redirect('/buy') else: self.render('login_1.html', nextname=nextname, error='用戶名或密碼錯誤' ) class BuyHandler(BaseHandler): @authenticated def get(self): self.write('歡迎您,尊敬的 VIP1000 用戶') application = tornado.web.Application( [ (r"/login", LoginHandler), (r"/buy", BuyHandler), ], template_path='templates', login_url='/login', cookie_secret='haha', pycket={ 'engine': 'redis', # 連接redis 'storage': { 'host': 'localhost', # 本機 'port': 6379, # redis端口 'db_sessions': 5, # redis的數據庫(0-15個) 'db_notifications': 11, 'max_connections': 2 ** 31, }, 'cookies': { # cookie 過期時間 'expires_days': 30, 'max_age': 100 }, }, debug=True ) if __name__ == '__main__': tornado.options.parse_command_line() # 獲取命令行的參數 --port=1040 就能使用這個參數 print(options.port) print(options.version) http_server = tornado.httpserver.HTTPServer(application) application.listen(options.port) tornado.ioloop.IOLoop.instance().start()
防止cookie被盜用后,用這個虛假cookie去欺騙服務器(防止跨域攻擊)
思路:在返回登錄界面時發送一串獨有的標記,這個標記和cookie相同,判斷是否為服務器發出來登陸頁面
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> {% if error %} 用戶名或密碼錯誤 {% end %} {% if nextname == '' %} <form method="post" action="/login"> {% module xsrf_form_html() %} # 返回form表單給瀏覽器時發送獨有的標記,和cookie的信息相同。
用來證明是服務器發送的 <p>用戶名:<input type="text", name="name"></p> <p>密碼:<input type="password", name="password"></p> <input type="submit"> </form> {% else %} <form method="post" action="/login?next={{nextname}}"> {% module xsrf_form_html() %} <p>用戶名:<input type="text", name="name"></p> <p>密碼:<input type="password", name="password"></p> <input type="submit"> {% end %} </form> </body> </html>
和