[英]In Django how to decrypt the session id in database and in cookie with my SECRET_KEY?
I created one Django application with below settings - (for cookie base session) 我使用以下设置创建了一个Django应用程序-(用于cookie基本会话)
SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies'
SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer'
Then I got a session id 然后我得到了一个会话ID
sessionid=.eJxrYJk6gwECaqdo9PDGJ5aWZMSXFqcWxWemTOlhMjSY0iOEJJiUmJydmgeU0UzJSsxLz9dLzs8rKcpM0gMp0YPKFuv55qek5jjB1PIjGZCRWJwxpUfDMNUk1STJ1MLc0tLczDLNyMg0ydDQzDTJzCjZ0jg50SLR3NDc3DzReEqpHgBcETf7:1eVt50:xtWtUp9mwcxusxtg6fZB_tHzlYw
With another setting (for database-backed sesisons) 使用其他设置(用于数据库支持的sesison)
SESSION_ENGINE = 'django.contrib.sessions.backends.db'
SESSION_SERIALIZER = 'django.contrib.sessions.serializers.JSONSerializer'
I got below encrypted string in database: 我在数据库中得到以下加密的字符串:
gzc9c9nwwraqhbdsk9xg935ypkqp7ecs|MmExZWI0NjZjYzIwNDYyZDhjNWVmODJlNmMwNjI0ZmJmMjQ4MTljNDp7Il9hdXRoX3VzZXJfaWQiOiIxMCIsIl9hdXRoX3VzZXJfYmFja2VuZCI6ImRqYW5nby5jb250cmliLmF1dGguYmFja2VuZHMuTW9kZWxCYWNrZW5kIiwiX2F1dGhfdXNlcl9oYXNoIjoiMWU0ZTRiNTg3OTk3NjlmMjI1YjExNjViNjJjOTNjYThhNzE3NzdhMyIsImxhc3RfbG9naW4iOjIyMjJ9
I want to know what is inside both the encrypted strings. 我想知道两个加密字符串中的内容。
It will be great, if anyone can give me a sample code. 如果有人可以给我示例代码,那将是很棒的。
First off, I would not recommend you use PickleSerializer
unless you have a good reason to change the default session serializer and understand the security implications . 首先,我不建议您使用
PickleSerializer
除非您有充分的理由来更改默认会话序列化程序并了解安全隐患 。
The cookies you have aren't encrypted, they're just encoded as url-safe base64 (optionally compressed with zlib) and then signed: 您拥有的Cookie并未进行加密,它们只是被编码为url安全的base64(可以选择使用zlib压缩),然后进行签名:
In [8]: import base64
In [9]: base64.urlsafe_b64decode('MmExZWI0NjZjYzIwNDYyZDhjNWVmODJlNmMwNjI0ZmJmMjQ4MTljNDp7Il9hdXRoX3VzZXJfaWQiOiIxMCIsIl9hdXRoX3VzZXJfYmFja2VuZCI6ImRqYW5nby5jb250cmliLmF1dGguYmFja2V
... uZHMuTW9kZWxCYWNrZW5kIiwiX2F1dGhfdXNlcl9oYXNoIjoiMWU0ZTRiNTg3OTk3NjlmMjI1YjExNjViNjJjOTNjYThhNzE3NzdhMyIsImxhc3RfbG9naW4iOjIyMjJ9')
Out[9]: '2a1eb466cc20462d8c5ef82e6c0624fbf24819c4:{"_auth_user_id":"10","_auth_user_backend":"django.contrib.auth.backends.ModelBackend","_auth_user_hash":"1e4e4b58799769f225b1165b62c93ca8a71777a3","last_login":2222}'
In [10]: base64.urlsafe_b64decode('.eJxrYJk6gwECaqdo9PDGJ5aWZMSXFqcWxWemTOlhMjSY0iOEJJiUmJydmgeU0UzJSsxLz9dLzs8rKcpM0gMp0YPKFuv55qek5jjB1PIjGZCRWJwxpUfDMNUk1STJ1MLc0tLczDLNyMg0ydDQz
... DTJzCjZ0jg50SLR3NDc3DzReEqpHgBcETf7').decode('zlib')
Out[10]: '\x80\x04\x95\x98\x00\x00\x00\x00\x00\x00\x00}\x94(\x8c\r_auth_user_id\x94\x8c\x0210\x94\x8c\x12_auth_user_backend\x94\x8c)django.contrib.auth.backends.ModelBackend\x94\x8c\x0f_auth_user_hash\x94\x8c(1e4e4b58799769f225b1165b62c93ca8a71777a3\x94u.'
This is all handled by your SESSION_ENGINE
: 这全部由您的
SESSION_ENGINE
处理:
from importlib import import_module
from django.conf import settings
SessionStore = import_module(settings.SESSION_ENGINE).SessionStore
session_data = SessionStore().decode('.eJxrYJk6gwECaqdo9PDGJ5aWZMSXFq......')
Documentation about signing values using the secret key can be found at: https://docs.djangoproject.com/en/2.0/topics/signing/ 可以在以下位置找到有关使用密钥对值进行签名的文档: https : //docs.djangoproject.com/en/2.0/topics/signing/
Looking at the session id string that looks like a complex value: https://docs.djangoproject.com/en/2.0/topics/signing/#protecting-complex-data-structures 查看看起来像复杂值的会话ID字符串: https : //docs.djangoproject.com/en/2.0/topics/signing/#protecting-complex-data-structures
>>> from django.core import signing
>>> value = signing.dumps({"foo": "bar"})
>>> value
'eyJmb28iOiJiYXIifQ:1NMg1b:zGcDE4-TCkaeGzLeW9UQwZesciI'
>>> signing.loads(value)
{'foo': 'bar'}
So try to do signing.loads(session_id)
所以尝试做
signing.loads(session_id)
But that can fail also due to the wrong salt. 但这也可能由于盐错误而失败。 Just read up about Django sessions to find out more about storage.
只需阅读有关Django会话的信息,以了解有关存储的更多信息。 Especially https://docs.djangoproject.com/en/2.0/topics/http/sessions/ and how to implement your own serializer/storage
特别是https://docs.djangoproject.com/en/2.0/topics/http/sessions/以及如何实现自己的序列化器/存储
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.