I am writing forum app on Django using custom session/auth/users/acl system. One of goals is allowing users to browse and use my app even if they have cookies off. Coming from PHP world, best solution for problem is appending sid= to every link on page. Here is how I plan to do it:
我正在使用自定义会话/auth/user /acl系统编写Django的论坛应用程序。目标之一是允许用户浏览和使用我的应用程序,即使他们有cookie。我打算这样做:
Session middleware checks if user has session cookie or remember me cookie. If he does, this most likely means cookies work for him. If he doesnt, we generate new session ID, open new session (make new entry in sessions table in DB), then send cookie and redirect user to where he is, but with SID appended to url. After redirect middleware will see if session id can be obtained from either cookie or GET. If its cookie, we stop adding sid to urls. If its GET, we keep them.
会话中间件检查用户是否有会话cookie或记住我cookie。如果他这样做了,这很可能意味着饼干对他有用。如果他没有,我们将生成新的会话ID,打开新的会话(在DB中的sessions table中创建新的条目),然后发送cookie并将用户重定向到他所在的位置,但是SID附加到url。重定向后,中间件将查看是否可以从cookie或GET中获取会话id。如果它的cookie,我们停止向url添加sid。如果得到,我们就保留。
I plan to insert SID= part into url's by decorating django.core.urlresolvers.reverse and reverse_lazy with my own function that appends ?sid= to them. However this raises some problems because both middlewares urlresolvers and are not thread safe. To overcome this I created something like this:
我计划通过装饰django.core.urlresolvers来将SID= part插入url。反向并reverse_lazy附加到它们的函数?sid=。然而,这带来了一些问题,因为中间件urlsolvers并且不是线程安全的。为了克服这个问题,我创造了如下的东西:
class SessionMiddleware(object):
using_decorator = False
original_reverse = None
def process_request(self, request):
self.using_decorator = True
self.original_reverse = urlresolvers.reverse
urlresolvers.reverse = session_url_decorator(urlresolvers.reverse, 's87add8ash7d6asdgas7dasdfsadas')
def process_response(self, request, response):
# Turn off decorator if we are using it
if self.using_decorator:
urlresolvers.reverse = self.original_reverse
self.using_decorator = False
return response
If SID has to be passed via links, process_request sets using_decorator to true and stores undecorated urlresolvers.revers in separate method. After page is rendered process_response checks using_decorator to see if it has to perform "garbage collection". If it does, it returns reverse function to original undecorated state.
如果需要通过链接传递SID, process_request将using_decorator设置为true,并存储未修饰的urlresolvers。翻领在单独的方法。在页面被呈现之后,process_response检查使用ing_decorator是否必须执行“垃圾收集”。如果它这样做,它将返回反向函数到原始的未修饰状态。
My question is, is this approach thread-safe? Or will increase in traffic on my forum may result in middleware decorating those functions again and again and again, failing to run "garbage collection"? I also tought about using regex to simply skim generated HTML response for links and providing template filters and variables for manually adding SID to places that are omitted by regex.
我的问题是,这种方法是线程安全的吗?或者我的论坛的流量增加会导致中间件不断地装饰这些功能,而不能运行“垃圾收集”?我还建议使用regex来简单地浏览生成的HTML响应,并为手工将SID添加到regex忽略的位置提供模板过滤器和变量。
Which approach is better? Also is current one thread safe?
哪种方法更好?当前的一个线程是否安全?
1 个解决方案
#1
1
First of all: Using SIDs in the URL is quite dangerous, eg if you copy&paste a link for a friend he is signed in as you. Since most users don't know what a SID is they will run into this issue. As such you should never ever use SIDs in the url and since Facebook and friends all require cookies you should be fine too...
首先:在URL中使用小岛屿发展中国家是相当危险的,例如,如果你为他的朋友复制粘贴一个链接,他作为你的签名。因为大多数用户不知道SID是什么,他们会遇到这个问题。因此,你不应该在url中使用小岛屿发展中国家,因为Facebook和朋友都需要cookie,所以你也应该没事……
Considering that, monkeypatching urlresolvers.reverse luckily doesn't work! Might be doable with a custom URLResolvers subclass, but I recommend against it.
考虑到monkeypatching urlresolvers。反向幸运不工作!可以使用自定义URLResolvers类,但我建议不要这样做。
And yes, your middleware is not threadsafe. Middlewares are initialized only once and shared between threads, meaning that storing anything on self is not threadsafe.
是的,您的中间件不是线程安全的。中间件只被初始化一次,并在线程之间共享,这意味着存储在self上的任何东西都不是线程安全的。
#1
1
First of all: Using SIDs in the URL is quite dangerous, eg if you copy&paste a link for a friend he is signed in as you. Since most users don't know what a SID is they will run into this issue. As such you should never ever use SIDs in the url and since Facebook and friends all require cookies you should be fine too...
首先:在URL中使用小岛屿发展中国家是相当危险的,例如,如果你为他的朋友复制粘贴一个链接,他作为你的签名。因为大多数用户不知道SID是什么,他们会遇到这个问题。因此,你不应该在url中使用小岛屿发展中国家,因为Facebook和朋友都需要cookie,所以你也应该没事……
Considering that, monkeypatching urlresolvers.reverse luckily doesn't work! Might be doable with a custom URLResolvers subclass, but I recommend against it.
考虑到monkeypatching urlresolvers。反向幸运不工作!可以使用自定义URLResolvers类,但我建议不要这样做。
And yes, your middleware is not threadsafe. Middlewares are initialized only once and shared between threads, meaning that storing anything on self is not threadsafe.
是的,您的中间件不是线程安全的。中间件只被初始化一次,并在线程之间共享,这意味着存储在self上的任何东西都不是线程安全的。