Flask session源码分析
基本用法
from flask import session
@app.route(’/‘,method=['GET','POST'])
def index():
session['name'] = 'xxx'
return 'index'
@app.route(’/test‘,method=['GET','POST'])
def test():
print(session['name'])
return 'test'
打印值: xxx
源码分析
Flask类下
有一个属性session_interface
它是SecureCookieSessionInterface
的实例化
class SecureCookieSessionInterface(SessionInterface):
#: the salt that should be applied on top of the secret key for the
#: signing of cookie based sessions.
salt = "cookie-session"
#: the hash function to use for the signature. The default is sha1
digest_method = staticmethod(hashlib.sha1)
key_derivation = "hmac"
serializer = session_json_serializer
session_class = SecureCookieSession
def get_signing_serializer(self, app):
if not app.secret_key:
return None
signer_kwargs = dict(
key_derivation=self.key_derivation, digest_method=self.digest_method
)
return URLSafeTimedSerializer(
app.secret_key,
salt=self.salt,
serializer=self.serializer,
signer_kwargs=signer_kwargs,
)
def open_session(self, app, request):
s = self.get_signing_serializer(app)
if s is None:
return None
val = request.cookies.get(app.session_cookie_name)
if not val:
return self.session_class()
max_age = total_seconds(app.permanent_session_lifetime)
try:
data = s.loads(val, max_age=max_age)
return self.session_class(data)
except BadSignature:
return self.session_class()
def save_session(self, app, session, response):
domain = self.get_cookie_domain(app)
path = self.get_cookie_path(app)
if not session:
if session.modified:
response.delete_cookie(
app.session_cookie_name, domain=domain, path=path
)
return
if session.accessed:
response.vary.add("Cookie")
if not self.should_set_cookie(app, session):
return
httponly = self.get_cookie_httponly(app)
secure = self.get_cookie_secure(app)
samesite = self.get_cookie_samesite(app)
expires = self.get_expiration_time(app, session)
val = self.get_signing_serializer(app).dumps(dict(session)) #将session转成字典变成字符串
#get_signing_serializer是其内置的加密方式
response.set_cookie(
app.session_cookie_name, #去配置文件当中去获取键值对'SESSION_COOKIE_NAME':'session'
val, #字符串格式
expires=expires, #超时时间
httponly=httponly, #是否可被js代码获取
domain=domain, #cookie的生效域名
path=path, #使cookie生效的路径
secure=secure, #浏览器将通过https来回传cookie
samesite=samesite,
)
这个类一共有三个方法get_signing_serializer
、open_session
、save_session
在save_session
中重写cookie:
def save_session(self, app, session, response):
if not session:
#判断session是否修改过,修改过的意思是,进入view时候session中被添加了键值对或删除了键值对
if session.modified:
#如果修改过把原来的cookie全部删除重新设置值
response.delete_cookie(
app.session_cookie_name, domain=domain, path=path
在savesession下
有一个get_signing_serializer
方法对session进行加密
def get_signing_serializer(self, app):
if not app.secret_key:
return None
signer_kwargs = dict(
key_derivation=self.key_derivation, digest_method=self.digest_method
)
return URLSafeTimedSerializer(
app.secret_key,#采用配置文件中的secret_key进行加密
salt=self.salt,
serializer=self.serializer,
signer_kwargs=signer_kwargs,
)
注释:如果要保存到数据库的话就重写open_session
与 save_session
方法。