English 中文(简体)
闪电 + pyAMF + Django session cookie security
原标题:Flash + pyAMF + Django session cookie security

首先,如果真的有正式的闪电/密码,则会篡改会议/浏览周围网页的状况,这样,如果用户已经站起来,他们就不必再次提供全权证书,以便建立AMF联系,请让我现在停下来并张贴正式答案。

暗示,我假定不存在,因为我已经找过,似乎不存在。 我混淆了这样做的手段,但希望得到一些反馈,了解它是否安全。

  1. Accessing a wrapper-page for a flash object will always go to secure https due to django middleware
  2. When the page view is loaded in Django, it creates a "session alias" object with a unique key that points to the current session in play (in which someone ostensibly logged in)
  3. That session alias model is saved, and that key is placed into a cookie whose key is another random string, call it randomcookie
  4. That randomcookie key name is passed as a context variable and written into the html as a flashvar to the swf
  5. The swf is also loaded only via https
  6. The flash application uses ExternalInterface to call java to grab the value at that randomcookie location, and also deletes the cookie
  7. It then creates a NetConnection to a secure server https location, passing that randomcookie as an argument (data, not in the url) to a login-using-cookie rpc
  8. At the gateway side, pyamf looks up the session alias and gets the session it points to, and logs in the user based on that (and deletes the alias, so it can t be reused)
  9. (And the gateway request could also set the session cookie and session.session_key to the known session ID, but I could let it make a whole new session key... I m assuming that doing so should affect the response properly so that it contains the correct session key)
  10. At this point, the returned cookie values on the flash side should stick to the NetConnection so that further calls are authenticated (if a connection is authenticated using username and password the normal way, this definitely works, so I think this is a safe bet, testing will soon prove or disprove this)

因此,这是否不安全,或者这项工作是否适当? 我知道,由于html网页被保证为超薄,关键和 co数据应当加密,而不是可以偷窃。 之后,该带的内涵应当安全,可以一次性使用,基本是临时密码,再次用斜体发送,因为大门口也是https。 之后,它使用通常的信用社系统,而不是从普通人手中做任何事情。

最佳回答

迄今尚未对此做出答复,因此,我所能做的最好办法是确认,这实际上确实是实际的。 关于如何建立灵活建筑商与Django网页模板通信的html-wrappers的详情,见my other post。 完成上述工作时,加上:

采用以下方式:

class SessionAlias(models.Model):
  alias   = models.CharField( max_length=40, primary_key=True )
  session = models.ForeignKey( Session )
  created = models.DateTimeField( auto_now_add=True )

a. 具有灵活性的Django网页,其载量来自:

s = SessionAlias()
s.alias = SessionStore().session_key // generates new 40-char random
s.session = Session.objects.get( session_key=request.session.session_key )
s.save();
randomcookie = SessionStore().session_key // generates new 40-char random
kwargs[ extra_context ][ randomcookie ] = randomcookie
response = direct_to_template( request, **kwargs )
response.set_cookie( randomcookie, value=alias )

在html-wrapper,随机照相处的地点是:

<param name="flashVars" value="randomcookie={{randomcookie}}" />

applicationComplete上,我们在那里随机抽查并找到了细节,并在使用上登录:

var randomcookie:String = this.parameters["randomcookie"];
// randomcookie is something like "abc123"
var js:String = "function get_cookie(){return document.cookie;}";
var cookies:String = ExternalInterface.call(js).toString();
// cookies looks like "abc123=def456; sessionid=ghi789; ..."
var alias:String = // strip out the "def456"
mynetconnection.call( "loginByAlias", alias, successFunc, failureFunc );

而后者又进入了这一Pyamf网关:

from django.contrib.auth import SESSION_KEY, load_backend
from django.contrib.auth.models import User
from django.contrib import auth
from django.conf import settings
def loginByAlias( request, alias ):
  a = SessionAlias.objects.get( alias=alias )
  session_engine = __import__( settings.SESSION_ENGINE, {}, {}, [  ] )
  session_wrapper = session_engine.SessionStore( a.session.session_key )
  user_id = session_wrapper.get( SESSION_KEY )
  user = User.objects.get( id=user_id )
  user.backend= django.contrib.auth.backends.ModelBackend 
  auth.login( request, user )
  a.delete()
  return whateverToFlash

此时此刻,在闪光/flex一侧,特别是mynetlinkion。 保留本届会议的表象,使今后能够发出电话,从而使在网关内<代码>request.user首先贴上网页的经过适当验证的用户。

请注意,软体的操作/试验环境必须使用https和网关环境。 在公布时,我必须确保经认证的用户留在网上。

希望人们进一步发出任何信息,特别是如果对安全方面有真正的反馈的话。

时间:2010-08-25 21:35:30
问题回答

国际能源学会没有机会接触当地发展中的厨师,但如果你出版并投入一个领域,它就应当像以往其他浏览器一样来召集会议。 第3条第3款:在当地建设你的弹性体。

在IE8公司测试,使用具有NetConnection的第3号灵活通道。 关口功能与@login_required

时间:2011-06-03 20:19:29


上一篇:
下一篇:


相关问题
why the session in iis automatically log out?

I used iis6, and when i called a function Directory.delete(), the all the session relate this website will be logged out. and i debugged the website, i found no exception. any one have ideas on this ? ...

时间:2009-11-14 04:12:49 回答:2 展示:1
Check session from a view in CodeIgniter

What is the best way to check session from a view in CodeIgniter, it shows no way in their user guide, otherwise I will have to make two views on everything, which is kinda weird...still a newbie to ...

时间:2009-11-14 03:37:15 回答:2 展示:1
Can I get the size of a Session object in bytes in c#?

Is it possible to get the size(in bytes) of a Session object after storing something such as a datatable inside it? I want to get the size of a particular Session object, such as Session["table1"], ...

时间:2009-11-06 17:20:18 回答:4 展示:1
提供严格分类的出席会议物体

提供严格分类的与会机会的最佳方式是什么? 我正计划转而选择矩阵,这正在促使汇编者抱怨我的幻觉方案拟订方法......

时间:2009-11-06 17:14:32 回答:2 展示:1
PHP Session is not destroying after user logout

I m trying to create an authentication mechanism for my PHP Application and I m having difficulty destroying the session. I ve tried unsetting the authentication token which was previously set within ...

时间:2009-11-05 22:44:53 回答:5 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全