[英]Django loses currently logged in user
after my site has been up and running for a while, I suddenly have a problem with my users loging into it. 我的网站启动并运行了一段时间后,我的用户突然登录到了我的问题。
I am running Django 1.6 on Ubuntu with Apache and mod_wsgi in daemon mode behind SSL and I am using the Session database backend. 我在Ubuntu上使用Apache和mod_wsgi在SSL后面的守护进程模式下运行Django 1.6,并且正在使用会话数据库后端。 I am using django-allauth.account for account management/login.
我正在使用django-allauth.account进行帐户管理/登录。 My Session settings are like this:
我的会话设置如下:
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_AGE = 60*60*24
SESSION_COOKIE_SECURE = True
Since I assumed that there is an issue with sessions, I did the following: 由于我认为会话存在问题,因此我执行了以下操作:
a. 一种。 I checked the sessionid cookie, which was for example: 1parpvj07b77rtxueo6981z3xoshnpx4
我检查了sessionid cookie,例如:1parpvj07b77rtxueo6981z3xoshnpx4
b. 湾 s = Session.objects.get(session_key='1parpvj07b77rtxueo6981z3xoshnpx4')
s = Session.objects.get(session_key ='1parpvj07b77rtxueo6981z3xoshnpx4')
c. C。 And s.get_decoded() gave me back {}, which would explain why Django thinks, the user must login first.
s.get_decoded()给了我{},这可以解释Django为什么认为用户必须先登录。
d. d。 Then I found this gist: https://gist.github.com/glarrain/3982485 .
然后我找到了这个要点: https : //gist.github.com/glarrain/3982485 。 Trying this, gave me the following: {'_auth_user_id': 330619L, '_auth_user_backend': 'django.contrib.auth.backends.ModelBackend', u'_session_expiry': 0}
尝试一下,给了我以下信息:{'_auth_user_id':330619L,'_auth_user_backend':'django.contrib.auth.backends.ModelBackend',u'_session_expiry':0}
Any help is highly appreciated, this is a production site. 非常感谢您的帮助,这是生产站点。
UPDATE I have just realized that the behavior is not consistent: 我刚刚发现UPDATE的行为不一致:
a. 一种。 After login Django sometimes recognizes me as logged in user, sometimes it redirects me to the Login Page.
登录后,Django有时会将我识别为登录用户,有时会将我重定向到“登录页面”。 Even if I do not login, but continue to click other pages, suddenly I am recognized again;
即使我没有登录,而是继续单击其他页面,突然我又被认可; the session_id in the browser cookie is consistent.
浏览器cookie中的session_id是一致的。
b. 湾 On our test server, that uses the production settings, I cannot reproduce this issue.
在使用生产设置的测试服务器上,我无法重现此问题。 The only difference between production and test is, that the load is significantly higher and we do load balancing.
生产和测试之间的唯一区别是,负载明显更高,并且我们进行负载平衡。
Could I have a threading issue? 我可以遇到线程问题吗? Though I could not imagine, where this should origin from.
虽然我无法想象,但这应该从何而来。
If your d. 如果你的D。 option works good (i mean gist), i think you have some problems with session data signing.
选项效果很好(我的意思是要点),我认为您在会话数据签名方面存在一些问题。
take a look into gist 看一下要点
https://gist.github.com/glarrain/3982485#file-gistfile1-py-L19 https://gist.github.com/glarrain/3982485#file-gistfile1-py-L19
They split hash and data part. 他们拆分哈希和数据部分。 I think session classes check this hash and give you empty dict because hash is broken by some reason.
我认为会话类会检查此哈希,并为您提供空dict,因为哈希由于某种原因被破坏了。
Why is broken? 为什么坏了? need to check more deep.
需要检查的更深。
Maybe cookie write with one salt and reads with different. 也许cookie用一种盐写,而用另一种盐读。 This can corrupt session data.
这可能会破坏会话数据。
Just checked django code. 刚刚检查了Django代码。 Take a look into lines https://github.com/django/django/blob/master/django/contrib/sessions/backends/base.py#L83
看看行https://github.com/django/django/blob/master/django/contrib/sessions/backends/base.py#L83
They really check session data for corruption and allow to load session data only with stored it class object (as salt is used session backend name). 他们确实检查会话数据是否损坏,并仅允许使用存储的类对象加载会话数据(因为使用了salt作为会话后端名称)。
Maybe your classes use one session instance to write and other to read. 也许您的类使用一个会话实例来编写,而使用另一个实例来读取。 This makes you session break.
这使您的会话中断。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.