Flask:如何防止重播攻击

本文介绍了Flask:如何防止重播攻击的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在尝试在Flask应用程序中实现逻辑以防止回复攻击.关于所问的问题，此处，我的想法是设置用户从系统注销时的当前会话生存期.通常，建议通过以下方式设置会话生存期:

I'm trying to implement a logic in my Flask application to prevent reply attacks. Regarding to the question asked here, My idea is to set the current session lifetime when user logs out from the system. In general, it is suggested to set the session lifetime this way:

@app.before_request def before_request(): session.permanent = True app.permanent_session_lifetime = timedelta(minutes=10)

但是，我想设置用户从系统注销时的当前会话生存时间.类似于以下代码:

However, I want to set my current session life time when user logs out from the system. Something like the following code:

@app.after_request def app_after_request(response): response.headers["X-Frame-Options"] = "SAMEORIGIN" if "__logged_out__" in session and session["__logged_out__"] is True: session.clear() response.set_cookie(app.session_cookie_name, '', expires=0) return response

我还检查了这个问题，但问题是我m处理一些机密数据，我必须确保在用户从系统注销后清除会话.在手动创建后，是否可以设置一个会话的生存期?还是可以通过flask-login来简单地处理这种情况?

I also checked this question, but the problem is that I'm dealing with some confidential data and I have to ensure that session is cleared after user logged out from the system. Is there any way to set one session lifetime after creation manually? or is there any easy way to handle this situation with flask-login?

推荐答案

我找到了解决方案.我应该只使用 Flask-KVSession 包将会话数据存储在数据库(或任何其他数据存储)中服务器内存.打包网站介绍后:

I found the solution. I should simply use Flask-KVSession package to store session data in database (or any other data storage) instead of server memory. As the package website introduced:

Flask-KVSession是MIT许可的服务器端会话替代品Flask的基于客户端的已签名会话管理.而不是存储客户端上的数据，则仅将安全生成的ID存储在客户端，而实际的会话数据驻留在服务器上.

Flask-KVSession is an MIT-licensed server-side session replacement for Flask‘s signed client-based session management. Instead of storing data on the client, only a securely generated ID is stored on the client, while the actual session data resides on the server.

您还需要在数据库中创建一个键-值配对表(默认情况下它已命名为会话，但是您也可以更改名称和架构)并将其指向flask应用程序对象.可以在此处找到更多信息.

You also need to create a key-value paired table in your database (it has named sessions by default, but you can change the name and schema as well) and point it to your flask app object. More information can be found here.