堆栈内存溢出
  简体   繁体   English

身份验证会话中的请求有时由Django中的AnonymousUser发送

[英]Requests in authenticated session are sometimes sent by AnonymousUser in Django

 原文  2017-04-01 10:16:19       python/ django/ session/ anonymous-users

问题描述

I've a django application which runs on gunicorn behind nginx proxy. 我有一个在nginx代理后面的gunicorn上运行的django应用程序。

When users log in, I redirect them to a single page application which is developed by Angular. 用户登录时,我将他们重定向到Angular开发的单页应用程序。

I'm using @login_required decorator for all functions used in SPA. 我正在使用@login_required装饰器来处理SPA中使用的所有功能。

While using the application, one random function call suddenly is sent as AnonymousUser , so the @login_required decorator does not work, so I log out the user, or show error. 使用该应用程序时,一个随机函数调用突然以AnonymousUser的形式发送 ,因此@login_required装饰器不起作用,因此我注销了该用户,或显示错误。

I'm using a custom user profile, with session engine as cached_db run by memcached & postgresql behind pgbouncer 我正在使用自定义用户配置文件,会话引擎为由 pgbouncer背后的memcachedpostgresql运行的cached_db

My authentication relative settings are as follows: ps: get_env_variable() function gets the variable from the OS environment. 我的身份验证相关设置如下:ps:get_env_variable()函数从OS环境获取变量。 

AUTH_USER_MODEL = 'main.User'
AUTH_PROFILE_MODULE = 'main.User'
INSTALLED_APPS = [
    'django.contrib.auth',
    'django.contrib.sessions',
    ***
]

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

#Sessions
SESSION_SAVE_EVERY_REQUEST = True
SESSION_COOKIE_NAME = 'sesid'
SESSION_COOKIE_PATH = '/'
SESSION_COOKIE_DOMAIN = 'domain.com'
SESSION_COOKIE_SECURE  = True
SESSION_COOKIE_AGE = 1800
SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'
CSRF_COOKIE_NAME = 'csrftkn'
CSRF_COOKIE_PATH = '/'
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_HTTPONLY = True
CSRF_COOKIE_DOMAIN = 'domain.com'
CSRF_COOKIE_AGE = 1800
CSRF_TRUSTED_ORIGINS = ['domain.com']
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_BROWSER_XSS_FILTER = True
X_FRAME_OPTIONS = "SAMEORIGIN"
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql_psycopg2',
        'NAME': get_env_variable("DATABASE_NAME"),
        'USER': get_env_variable("DATABASE_USER"),
        'PASSWORD': get_env_variable("DATABASE_PASSWORD"),
        'HOST': get_env_variable("DATABASE_HOST"),
        'PORT' : get_env_variable("DATABASE_PORT"),
        'CONN_MAX_AGE': None,
        'OPTIONS': {
            'sslmode': 'verify-full',
        }
    }
}
CACHES = {
    'default': {
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
        'LOCATION': "127.0.0.1:11211",
    }
}

Funny thing is, I'm using the same settings for another Django application, which works perfect. 有趣的是,我在另一个Django应用程序中使用了相同的设置,效果很好。 What could be the reason for Django sending one request as AnonymousUser? Django以AnonymousUser发送一个请求的原因可能是什么? I've never seen this before.. 我从未见过

Also, if I remove the @login_required decorator, the next function call is sent as the logged user. 另外,如果删除@login_required装饰器,则下一个函数调用以登录用户的身份发送。 So 1 out of 15-20 requests is sent as AnonymousUser. 因此,15-20个请求中有1个以AnonymousUser的身份发送。 Which is really strange.. 真是奇怪

1 个解决方案

解决方案1
 0 已采纳  2017-04-01 10:45:51

My sentry logs showed up a strange issue which is; 我的哨兵日志显示了一个奇怪的问题: 

DjangoUnicodeDecodeError: 'utf8' codec can't decode byte 0xdd in position 12: invalid continuation byte. You passed in 'HTTP_CONNECT\xddON' (<type 'str'>

When I dug into the situation, it turns out that in one of my functions I was using locale and set the locale to tr_TR . 当我研究这种情况时,事实证明,在我的一项功能中,我正在使用语言环境,并将语言环境设置为tr_TR After setting the locale, the request headers are converted to HTTP_CONNECT\\xddON from HTTP_CONNECTION, which messes the request and turns the request user into AnonymousUser. 设置区域设置后,请求标头将从HTTP_CONNECTION转换为HTTP_CONNECT \\ xddON,这会使请求混乱,并将请求用户转变为AnonymousUser。

I don't know why this happens but when I removed the locale, it works perfectly. 我不知道为什么会这样,但是当我删除语言环境时,它就可以正常工作。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 当我通过ajax调用它时,Django Rest框架用AnonymousUser替换我当前经过身份验证的用户? - Django Rest framework replacing my currently authenticated user with AnonymousUser whenever I call it via ajax? 'AnonymousUser' object 在 django 上不可迭代 - 'AnonymousUser' object is not iterable on django 解析 Django 中的 AnonymousUser - Resolve AnonymousUser in Django 手动验证当前已通过身份验证的 django 会话 ID - Manually validate a django session id is currently authenticated 如何在python中持久保存一个经过身份验证的请求会话? - How can you persist a single authenticated requests session in python? 获取用户在Django上返回“ AnonymousUser” - get user returns “AnonymousUser” on django 未经身份验证的路由 Django 上的匿名用户错误 - AnonymousUser error on unauthenticated route Django 使用Django会话表的请求 - requests using django session table Django上下文处理器获取AnonymousUser - Django context processor gets AnonymousUser Django中的AnonymousUser问题,反馈应用 - AnonymousUser problem in Django, Feedback App
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM