首先看一下后端代码,用Tornado框架写的,继承web.py里面的方法,首先先看一下源代码:
def get_cookie(self, name, default=None): """Gets the value of the cookie with the given name, else default.""" def set_cookie(self, name, value, domain=None, expires=None, path="/", expires_days=None, **kwargs): """Sets the given cookie name/value with the given options. Additional keyword arguments are set on the Cookie.Morsel directly. See http://docs.python.org/library/cookie.html#morsel-objects for available attributes. """ def get_secure_cookie(self, name, value=None, max_age_days=31, min_version=None): """Returns the given signed cookie if it validates, or None. The decoded cookie value is returned as a byte string (unlike `get_cookie`). .. versionchanged:: 3.2.1 Added the ``min_version`` argument. Introduced cookie version 2; both versions 1 and 2 are accepted by default. """ def set_secure_cookie(self, name, value, expires_days=30, version=None, **kwargs): """Signs and timestamps a cookie so it cannot be forged. You must specify the ``cookie_secret`` setting in your Application to use this method. It should be a long, random sequence of bytes to be used as the HMAC secret for the signature. To read a cookie set with this method, use `get_secure_cookie()`. Note that the ``expires_days`` parameter sets the lifetime of the cookie in the browser, but is independent of the ``max_age_days`` parameter to `get_secure_cookie`. Secure cookies may contain arbitrary byte values, not just unicode strings (unlike regular cookies) .. versionchanged:: 3.2.1 Added the ``version`` argument. Introduced cookie version 2 and made it the default. """
详细的实现过程可以看一下源代码的逻辑,这里只简单说一下set_cookie/set_secure_cookie两个方法,主要区别就是value经过 create_signed_value的处理。set_secure_cookie能够防止用户的cookie被伪造。
create_signed_value,得到当前时间,将要存的value base64编码,通过_cookie_signature将 加上name,这三个值加密生成签名。然后将签名,value的base64编码,时间戳用|连接,作为cookie的值。
_cookie_signature,就是根据settings里边的 保密的密钥生成签名返回。
get_secure_cookie,用|分割cookie的value,通过name,原value的base64的编码,时间戳得到签名,验证签名是否正确,正确返回,还多了一个过期时间的判断
如果别人想伪造用户的cookie,必须要知道密钥,才能生成正确的签名,不然通过 get_secure_cookie获取value的时候,不会通过验证,然后就不会返回伪造的cookie值。
好了,介绍完就该踩坑了~~~~
set_cookie后浏览器不显示cookie信息,咋回事这是.......
Ajax也没什么问题啊,好了好了,不卖关子了,哈哈上方法:
crossDomain: true,//请求偏向外域 xhrFields: {withCredentials: true},//一定要加上这两个请求头
self.set_header(name="Access-Control-Allow-Origin", value="http://localhost:63342") self.set_header(name="Access-Control-Allow-Credentials", value="true")
这里面的Value就是你前端页面的请求地址,也可以设置为*,所有请求地址都可以访问.
好啦,可以啦,哦啦啦...........
页面更新:2024-04-28
本站资料均由网友自行发布提供,仅用于学习交流。如有版权问题,请与我联系,QQ:4156828
© CopyRight 2020-2024 All Rights Reserved. Powered By 71396.com 闽ICP备11008920号-4
闽公网安备35020302034903号