An explanation of Tornado's secure cookie mechanism in Python

This article brings you an explanation of the Tornado security cookie mechanism in Python. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.

Cookies are data stored in the user's local terminal (Client Side) by many websites in order to identify the user's identity. Using RequestHandler.get_cookie() and RequestHandler.set_cookie() in Tornado can easily Read and write cookies.

Example: Simple reading and writing of Cookie

import tornado.web

session_id = 1
class MainHandler(tornado.web.RequestHandler):
    def get(self):
        global session_id
        if not self.get_cookie("session"):
            self.set_cookie("session",str(session_id))
            session_id+=1
            self.write("设置新的session")
        else:
            self.write("已经具有session")

if __name__ == '__main__':
    app=tornado.web.Application([
        ("/",MainHandler)
    ])
    app.listen("8888")
    tornado.ioloop.IOLoop.current().start()

In this example, the get_cookie() function is used to determine whether the Cookie name [session] exists. If it does not exist, assign it to it. New session_id.

In practical applications, cookies are often used to save session information like this example.
Because Cookie is always saved on the client side, how to save it from being tampered with is a problem that the server-side program must solve.
Tornado provides an information encryption mechanism for Cookie, making it impossible for the client to parse and modify the key value of Cookie at will.

Example: Secure Cookie

Code:

import tornado.web

session_id = 1
class MainHandler(tornado.web.RequestHandler):
    def get(self):
        global session_id
        #get_secure_cookie代替get_cookie
        if not self.get_secure_cookie("session"):
            #set_secure_cookie代替set_cookie
            self.set_secure_cookie("session",str(session_id))
            session_id+=1
            self.write("设置新的session")
        else:
            self.write("已经具有session")

if __name__ == '__main__':
    app=tornado.web.Application([
        ("/",MainHandler)
    ],cookie_secret="JIA_MI_MI_YAO")
    app.listen("8888")
    tornado.ioloop.IOLoop.current().start()

Comparing the simple Cookie example above, you can find the difference:

• The cookie_secret parameter is assigned when the tornado.web.Application object is initialized. The value of this parameter is a string used to save the key used to encrypt cookies on this website.

• Use RequestHandler.get_secure_cookie instead of the original RequestHandler.get_cookie call where cookies need to be read.

• Replace the original RequestHandler.set_cookie call with RequestHandler.set_secure_cookie where Cookie needs to be written.

In this way, you don’t need to worry about Cookie The problem of forgery is solved, but the cookie_secret parameter value, as the encryption key, needs to be well protected and cannot be leaked.

The above is the detailed content of An explanation of Tornado's secure cookie mechanism in Python. For more information, please follow other related articles on the PHP Chinese website!