本文介绍了如何使用Flask-Login库进行Web应用的会话管理,包括用户登录、登出,以及处理“记住我”功能。通过LoginManager初始化应用,设置登录视图,并使用login_user方法实现用户登录。同时,文章提到了重定向攻击的安全防范,使用login_required装饰器限制未授权访问,并展示了登录、登出路由的实现。最后,预告了将介绍Request Loader定制登录。
上一章我们介绍了使用Flask开发基本的Web应用,并使用session来进行基本的登录授权验证,接下来我们将使用Flask-Login来进行会话管理,来处理我们的“登入、登出”问题
Flask-Login provides user session management for Flask. It handles the common tasks of logging in, logging out, and remembering your users’ sessions over extended periods of time.
It will:
- Store the active user’s ID in the session, and let you log them in and out easily.
- Let you restrict views to logged-in (or logged-out) users.
- Handle the normally-tricky “remember me” functionality.
- Help protect your users’ sessions from being stolen by cookie thieves.
- Possibly integrate with Flask-Principal or other authorization extensions later on.
However, it does not:
- Impose a particular database or other storage method on you. You are entirely in charge of how the user is loaded.
- Restrict you to using usernames and passwords, OpenIDs, or any other method of authenticating.
- Handle permissions beyond “logged in or not.”
- Handle user registration or account recovery.
还是上一章的Web应用,
- 首先,通过LoginManager.init_app创建我们的应用,并通过login_view指定默认登录页,如果用户没有登录,则自动跳转到登录页:
app = Flask(__name__)
login_manager = LoginManager()
login_manager.init_app(app)
login_manager.login_view = 'login'
login_manager.login_message = 'please login!'
login_manager.session_protection = 'strong'
logger = flask_logger.get_logger(__name__)flask_logger.get_logger是我们自定义的日志模块,后续介绍
- 修改路由方法login
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
logger.debug("login post method")
username = request.form['username']
password = request.form['password']
user = flask_db.get_user_engine(username)
logger.debug('db user id is %s, detail is %s' % (user.username, user))
next_url = request.args.get("next")
logger.debug('next is %s' % next_url)
if password == 'admin123' and username == user.username:
# set login user
user = User()
user.id = username
flask_login.login_user(user)
resp = make_response(render_template('index.html', name=username))
resp.set_cookie('username', username)
if not is_safe_url(next_url):
return abort(400)
return redirect(next_url or url_for('index'))
else:
return abort(401)
logger.debug("login get method")
return render_template('login.html')
注意,用户通过验证之后,使用login_user方法让用户登录,flask_db.get_user_engine自定义获取数据库用户方法,后续介绍
当用户请求重定向到登入视图,它的请求字符串中会有一个 next 变量,其值为用户之前访问的页面,因此在我们完成验证之后,我们通过request.args.get(“next”)获取到用户之前访问的页面地址,并进行重定向,注意建议对此参数进行安全校验,避免重定向攻击
- 使用login_required装饰器确保首页授权访问
@app.route('/', methods=['GET', 'POST'])
@app.route('/index', methods=['GET', 'POST'])
@flask_login.login_required</
最低0.47元/天 解锁文章
扫一扫
2175
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
