如果用户删除了 Flask 站点的 cookie,服务器还能将他与他的会话相关联吗?
If a user deletes his cookies for a Flask site, can the server still associate him with his session?
如果用户删除了 Flask 站点的 cookie,是否会有效地结束该会话?如果没有,Flask 是否有任何可能的方法可以确定用户是谁 而无需 用户登录,以便服务器可以将该用户与其之前的会话连接?
Session 更像是发布给你浏览器的唯一 ID 并且......所以大多数时候,当你更改会话(而不是会话 ID)时,你只需修改后端部分
答案似乎是"Yes, Flask can sometimes 'figure out who you are' (re-associate you with your previous session) even if you delete your cookie"。
这是因为您的 Flask-Login 会话 ID 是根据仅基于您的 IP 地址和 user_agent 字符串的确定性算法生成的。
我通过阅读下面链接的 SO 问题及其答案了解了所有这些:
Constant Flask Session IDs
I made the following observations:
- For same IP addresses, but different browsers I get different
SIDs - that's expected;
- For different IPs & same browser I again have different
SIDs - expected;
- For same IP address with same browser I get same
SID - also expected;
Now, point (3) is interesting because even if I delete the
corresponding cookie the SID remains constant! To some extent
even that might be understandable, but actually I was expecting the
SID to change between different cookies. But the only difference I
see is that
session.new is True
for the first request immediately after the deletion of the cookie.
It looks like you're using the Flask-Login extension. Here's the code
that generates the id token:
def _create_identifier():
base = unicode("%s|%s" % (request.remote_addr,
request.headers.get("User-Agent")), 'utf8', errors='replace')
hsh = md5()
hsh.update(base.encode("utf8"))
return hsh.digest()
It's basically just md5(ip_address + user_agent).
如果用户删除了 Flask 站点的 cookie,是否会有效地结束该会话?如果没有,Flask 是否有任何可能的方法可以确定用户是谁 而无需 用户登录,以便服务器可以将该用户与其之前的会话连接?
Session 更像是发布给你浏览器的唯一 ID 并且......所以大多数时候,当你更改会话(而不是会话 ID)时,你只需修改后端部分
答案似乎是"Yes, Flask can sometimes 'figure out who you are' (re-associate you with your previous session) even if you delete your cookie"。
这是因为您的 Flask-Login 会话 ID 是根据仅基于您的 IP 地址和 user_agent 字符串的确定性算法生成的。
我通过阅读下面链接的 SO 问题及其答案了解了所有这些:
Constant Flask Session IDs
I made the following observations:
- For same IP addresses, but different browsers I get different
SIDs- that's expected;- For different IPs & same browser I again have different
SIDs- expected;- For same IP address with same browser I get same
SID- also expected;Now, point (3) is interesting because even if I delete the corresponding cookie the
SIDremains constant! To some extent even that might be understandable, but actually I was expecting theSIDto change between different cookies. But the only difference I see is thatsession.new is Truefor the first request immediately after the deletion of the cookie.
It looks like you're using the Flask-Login extension. Here's the code that generates the id token:
def _create_identifier(): base = unicode("%s|%s" % (request.remote_addr, request.headers.get("User-Agent")), 'utf8', errors='replace') hsh = md5() hsh.update(base.encode("utf8")) return hsh.digest()It's basically just
md5(ip_address + user_agent).