6
人工构造Flask session模拟cookie登陆
source link: https://blog.est.im/2021/stdout-022
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
人工构造Flask session模拟cookie登陆
Posted 2021-12-08 | stdout
有没有好奇为什么 Flask 配置必须要求一个 SECRET_KEY,然后就可以在浏览器保存一个 session 状态读写数据。
这里记一下它的底层实现,其实需要依赖的包是 itsdangerous
import hashlib
from itsdangerous import URLSafeTimedSerializer
URLSafeTimedSerializer(
'YOUR_SECRET_KEY', # from pyxis/config/prod.py
'cookie-session', # from flask.sessions.SecureCookieSessionInterface.salt
# serializer=TaggedJSONSerializer(),
signer_kwargs={'key_derivation': 'hmac', 'digest_method': hashlib.sha1}
).dumps({
"your_key": "your_value"
})
别人如果拿到你的 SECRET_KEY
就可以伪造任意 session cookie 了
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK