Cookie、Session
以下观点仅个人理解,大神勿喷
View
def login(request):
resp = HttpResponse('login')
resp.set_cookie("v1","123", max_age=3600, path='/', httponly=True, secure=True)
print(resp.cookies)
return resp
def home(request):
v = request.COOKIES.get('v1')
print(v)
return HttpResponse('home...')
从上面的一段代码可以看到,创建cookie前需要先创建一个Http响应对象,然后设置cookie,其中的参数及其功能如下:
- v1: 相当于字典中的key
- 123: 相当于字典中的value
- max_age:cookie的存活时间,相当于expire,cookie过期后发送请求将不携带该条cookie信息,max_age=None,相当于关闭浏览器就清理掉该cookie记录
- path:相当于正则表达式,只有包含/的路径的视图发送请求时才携带该cookie,例如/home,若这里设置path=/home,则其/index将获取不到该cookie
- httponly:默认为False,设置为True时,js将无法获取到该条cookie信息
- secure:默认为False,设置为True时,将只有https请求才可获得该cookie信息
Settings配置文件
# session
SESSION_ENGINE= 'django.contrib.sessions.backends.file'# 以文件的形式进行存储session,同时还可以以数据库....存储
SESSION_FILE_PATH = 'xxxx' # 缓存文件路径,如果为None,则使用tempfile模块获取一个临时地址 tempfile gettempdir()
SESSION_COOKIE_NAME = "sid" # Session的cookie保存在浏览器上时的key,即:sessionid=随机字符串
SESSION_ COOKIE_ PATH= "/"# Session的cookie保存的路径
SESSION _COOKIE_DOMAIN= None# Session的cookie保存的域名
SESSION_COOKIE_SECURE = False #是否Https传输cookie
SESSION_COOKIE_HTTPONLY= True # 是否Session的cookie只支持http传输
SESSION_COOKIE_AGE = 1209600 # Session的cookie失效日期(2周)
SESSION_EXPIRE_AT_BROMSER_CLOSE = False # 是否关闭浏览器使得Session过期
SESSION SAVE EVERY REQUEST= True # 是否每次请求都保存Session,默认修改之后才保存
以上配置信息在Django中都有默认的配置,可以进行修改成适合自己的,可以在试图中设置session并获取session
在Django中,有个中间件(‘django.contrib.sessions.middleware.SessionMiddleware’)可一专门处理浏览器发送请求时带来的session,中间件具体的函数如下:
class SessionMiddleware(MiddlewareMixin):
def __init__(self, get_response):
super().__init__(get_response)
engine = import_module(settings.SESSION_ENGINE)
self.SessionStore = engine.SessionStore
def process_request(self, request):
session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
request.session = self.SessionStore(session_key)
def process_response(self, request, response):
"""
If request.session was modified, or if the configuration is to save the
session every time, save the changes and set a session cookie or delete
the session cookie if the session has been emptied.
"""
try:
accessed = request.session.accessed
modified = request.session.modified
empty = request.session.is_empty()
except AttributeError:
return response
# First check if we need to delete this cookie.
# The session should be deleted only if the session is entirely empty.
if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
response.delete_cookie(
settings.SESSION_COOKIE_NAME,
path=settings.SESSION_COOKIE_PATH,
domain=settings.SESSION_COOKIE_DOMAIN,
samesite=settings.SESSION_COOKIE_SAMESITE,
)
patch_vary_headers(response, ("Cookie",))
else:
if accessed:
patch_vary_headers(response, ("Cookie",))
if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:
if request.session.get_expire_at_browser_close():
max_age = None
expires = None
else:
max_age = request.session.get_expiry_age()
expires_time = time.time() + max_age
expires = http_date(expires_time)
# Save the session data and refresh the client cookie.
# Skip session save for 5xx responses.
if response.status_code < 500:
try:
request.session.save()
except UpdateError:
raise SessionInterrupted(
"The request's session was deleted before the "
"request completed. The user may have logged "
"out in a concurrent request, for example."
)
response.set_cookie(
settings.SESSION_COOKIE_NAME,
request.session.session_key,
max_age=max_age,
expires=expires,
domain=settings.SESSION_COOKIE_DOMAIN,
path=settings.SESSION_COOKIE_PATH,
secure=settings.SESSION_COOKIE_SECURE or None,
httponly=settings.SESSION_COOKIE_HTTPONLY or None,
samesite=settings.SESSION_COOKIE_SAMESITE,
)
return response
通过代码可以看到,每当浏览器进行请求时,都会通过process_request获取到session数据并绑定到request.session中,然后当我们视图处理完数据返回给前端时,中间件会通过process_response将cookie进行处理并返回给浏览器。具体细节在这里就不讲述了,具体看代码实现:
def login(request):
request.session['username']='北漂强'
return HttpResponse('login')
def home(request):
v = request.session.get('username')
print(v)
print(request.session)
return HttpResponse('home...')
北漂强
<django.contrib.sessions.backends.db.SessionStore object at 0x10449c460>
从上述代码可以看到,可以通过request.session设置其键值对,具体的细节如下
- 浏览器发送请求到Django服务端,服务端会通过中间件查询其sessionid(可自己命名)
- 若未查询到,则新建,若查询到则对其进行处理
- 通过视图函数新建session数据,在返回时将通过中间件继续处理后返回给浏览器
总的来说,浏览器保存的cookie里面含有sessionid,当浏览器发送请求时会携带cookie,Django端通过中间件获取sessionid,而session表是存在于Django服务端的,服务端获取到sessionid后对比session表中的数据,查看其是否匹配以及过期时间,进而便能晓得该用户的信息以及信息是否过期,避免了每次都需账号密码登陆的问题,这个sessionid相当于一个凭证