登录时,Django的要求session.flush()
或session.cycle_key()
,这使得从旧的会话确保没有保留。这是一项安全措施,可以防止会话修复漏洞。因此,在应用此解决方案时,请注意您想要保留哪些变量。
它要保持某种状态,您必须在登录发出后恢复该状态。
Chase Seibert的解决方案是一个很好的开始,由于该代码中的线程安全问题,它非常不安全。你可以在这里找到一个改进版本,它是安全的使用方法:
class persist_session_vars(object):
"""
Some views, such as login and logout, will reset all session state.
(via a call to ``request.session.cycle_key()`` or ``session.flush()``).
That is a security measure to mitigate session fixation vulnerabilities.
By applying this decorator, some values are retained.
Be very aware what find of variables you want to persist.
"""
def __init__(self, vars):
self.vars = vars
def __call__(self, view_func):
@wraps(view_func)
def inner(request, *args, **kwargs):
# Backup first
session_backup = {}
for var in self.vars:
try:
session_backup[var] = request.session[var]
except KeyError:
pass
# Call the original view
response = view_func(request, *args, **kwargs)
# Restore variables in the new session
for var, value in session_backup.items():
request.session[var] = value
return response
return inner
,现在你可以这样写:
from django.contrib.auth import views
@persist_session_vars(['some_field'])
def login(request, *args, **kwargs):
return views.login(request, *args, **kwargs)
而对于基于类的意见(Django的allauth):
import allauth.account.views as auth_views
from django.utils.decorators import method_decorator
@method_decorator(persist_session_vars(['some_field']), name='dispatch')
class LoginView(auth_views.LoginView):
pass
并在url模式中使用该视图:
import allauth.urls
from django.conf.urls import include, url
from . import views
urlpatterns = [
# Views that overlap the default:
url(r'^login/$', views.LoginView.as_view(), name='account_login'),
# default allauth urls
url(r'', include(allauth.urls)),
]
这基本上回答了我的问题,谢谢! –