当前位置: 文江博客话题详情

闪光灯 + pyAMF + Django 会话 cookie 安全性

发布于 2024-09-15 12:59:33 字数 1204 浏览 6 评论 0原文

首先,如果有一个真正的官方方法可以让 flash/flex 的 NetConnection 篡夺周围网页的会话/cookie 状态,这样如果用户已经登录,他们就不会登录不需要再次提供凭据来设置 AMF 连接,请立即阻止我并发布官方答案。

除此之外,我假设不存在,因为我已经搜索过了,它似乎不存在。我已经想出了一种方法来做到这一点,但希望得到一些关于它是否安全的反馈。

  1. 由于 django 中间件,访问 flash 对象的包装页面将始终转到安全 https
  2. 当页面视图在 Django 中加载时,它会创建一个“会话别名”对象,该对象具有指向当前正在运行的会话的唯一密钥(在表面上有人登录)
  3. 该会话别名模型被保存,并且该密钥被放置到一个 cookie 中,该 cookie 的密钥是另一个随机字符串,称为 randomcookie
  4. 该 randomcookie 密钥名称作为上下文变量传递并作为 flashvar 写入 html swf swf
  5. 也仅通过 https 加载
  6. flash 应用程序使用 ExternalInterface 调用 java 以获取 randomcookie 位置处的值,并删除 cookie
  7. 然后创建一个 NetConnection > 到安全服务器 https 位置,将该 randomcookie 作为参数(数据,不在 url 中)传递给 login-using-cookie rpc
  8. 在网关端,pyamf 查找会话别名并获取它指向的会话,并且基于此登录用户(并删除别名,因此无法重用)
  9. (网关请求还可以将会话 cookie 和 session.session_key 设置为已知的会话 ID,但我可以让它成为一个整体新的会话密钥...我假设这样做应该正确影响响应,以便它包含正确的会话密钥)
  10. 此时,闪存端返回的 cookie 值应该坚持 NetConnection 以便对进一步的调用进行身份验证(如果使用正常方式使用用户名和密码对连接进行身份验证,这绝对有效,所以我认为这是一个安全的赌注,测试很快就会证明或反驳这一点)

那么,这是不安全的,还是会这工作正常吗?据我所知,由于html页面保证是通过ssl的,所以密钥和cookie数据应该是加密的并且不可窃取。然后,其中的信息应该可以安全地一次性用作临时密码,通过 ssl 再次发送,因为网关也是 https。之后,它通过 https 使用正常的 pyAMF 系统,并且不执行任何异常操作。

原文

First off, if there is a true, official way of having flash/flex's NetConnections usurp the session/cookie state of the surrounding web page, so that if the user has already logged in, they don't need to provide credentials again just to set up an AMF connection, please stop me now and post the official answer.

Barring that, I'm assuming there is not, as I have searched and it seems to not exist. I've concocted a means of doing this, but want some feedback as to whether it is secure.

  1. Accessing a wrapper-page for a flash object will always go to secure https due to django middleware
  2. When the page view is loaded in Django, it creates a "session alias" object with a unique key that points to the current session in play (in which someone ostensibly logged in)
  3. That session alias model is saved, and that key is placed into a cookie whose key is another random string, call it randomcookie
  4. That randomcookie key name is passed as a context variable and written into the html as a flashvar to the swf
  5. The swf is also loaded only via https
  6. The flash application uses ExternalInterface to call java to grab the value at that randomcookie location, and also deletes the cookie
  7. It then creates a NetConnection to a secure server https location, passing that randomcookie as an argument (data, not in the url) to a login-using-cookie rpc
  8. At the gateway side, pyamf looks up the session alias and gets the session it points to, and logs in the user based on that (and deletes the alias, so it can't be reused)
  9. (And the gateway request could also set the session cookie and session.session_key to the known session ID, but I could let it make a whole new session key... I'm assuming that doing so should affect the response properly so that it contains the correct session key)
  10. At this point, the returned cookie values on the flash side should stick to the NetConnection so that further calls are authenticated (if a connection is authenticated using username and password the normal way, this definitely works, so I think this is a safe bet, testing will soon prove or disprove this)

So, is this unsafe, or will this work properly? As far as I know, since the html page is guaranteed to be over ssl, the key and cookie data should be encrypted and not steal-able. Then, the info therein should be safe to use one-time as basically a temporary password, sent again over ssl because the gateway is also https. After that, it's using the normal pyAMF system over https and not doing anything out of the ordinary.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

还给你自由 2024-09-22 12:59:34

到目前为止还没有对此做出回应,所以我能做的最好的事情就是确认它确实有效。有关如何设置 Flex Builder 来编写与 Django 页面模板通信的 html 包装器的详细信息,请参阅 我的其他帖子。上述内容是使用上述内容的组合完成的,加上:

制作了一个 SessionAlias 模型:

class SessionAlias(models.Model):
  alias   = models.CharField( max_length=40, primary_key=True )
  session = models.ForeignKey( Session )
  created = models.DateTimeField( auto_now_add=True )

Flex 指向一个 Django 页面,该页面通过包含以下内容的视图加载:

s = SessionAlias()
s.alias = SessionStore().session_key // generates new 40-char random
s.session = Session.objects.get( session_key=request.session.session_key )
s.save();
randomcookie = SessionStore().session_key // generates new 40-char random
kwargs['extra_context']['randomcookie'] = randomcookie
response = direct_to_template( request, **kwargs )
response.set_cookie( randomcookie, value=alias )

在 flex html-wrapper 中,其中 randomcookie 是位置查找别名:

<param name="flashVars" value="randomcookie={{randomcookie}}" />

applicationComplete 中,我们获取 randomcookie 并找到别名,然后使用它登录:

var randomcookie:String = this.parameters["randomcookie"];
// randomcookie is something like "abc123"
var js:String = "function get_cookie(){return document.cookie;}";
var cookies:String = ExternalInterface.call(js).toString();
// cookies looks like "abc123=def456; sessionid=ghi789; ..."
var alias:String = // strip out the "def456"
mynetconnection.call( "loginByAlias", alias, successFunc, failureFunc );

进而访问此 pyamf 网关 rpc:

from django.contrib.auth import SESSION_KEY, load_backend
from django.contrib.auth.models import User
from django.contrib import auth
from django.conf import settings
def loginByAlias( request, alias ):
  a = SessionAlias.objects.get( alias=alias )
  session_engine = __import__( settings.SESSION_ENGINE, {}, {}, [''] )
  session_wrapper = session_engine.SessionStore( a.session.session_key )
  user_id = session_wrapper.get( SESSION_KEY )
  user = User.objects.get( id=user_id )
  user.backend='django.contrib.auth.backends.ModelBackend'
  auth.login( request, user )
  a.delete()
  return whateverToFlash

此时,在 flash/flex 上另一方面,特定的 mynetconnection 保留会话 cookie 状态,以便将来进行调用,以便在网关内部,request.user 是登录到网页的经过正确身份验证的用户首先。

再次注意,flex 的运行/调试设置必须使用 https,NetConnection 的网关设置也是如此。当发布这个时,我必须确保经过身份验证的用户保持在 https 上。

如果有人提供任何进一步的信息,我们将不胜感激,特别是如果有关于此安全方面的真实反馈......

No responses on this so far, so the best I can do is confirm that it does in fact physically work. For details on how to set up Flex Builder to write html-wrappers that communicate with Django pages templates, see my other post. The above was accomplished using a combination of the aforementioned, plus:

Made a SessionAlias model:

class SessionAlias(models.Model):
  alias   = models.CharField( max_length=40, primary_key=True )
  session = models.ForeignKey( Session )
  created = models.DateTimeField( auto_now_add=True )

Flex points to a Django page that loads via a view containing:

s = SessionAlias()
s.alias = SessionStore().session_key // generates new 40-char random
s.session = Session.objects.get( session_key=request.session.session_key )
s.save();
randomcookie = SessionStore().session_key // generates new 40-char random
kwargs['extra_context']['randomcookie'] = randomcookie
response = direct_to_template( request, **kwargs )
response.set_cookie( randomcookie, value=alias )

In the flex html-wrapper, where randomcookie is the location to look for the alias:

<param name="flashVars" value="randomcookie={{randomcookie}}" />

In applicationComplete, where we get randomcookie and find the alias, and log on using that:

var randomcookie:String = this.parameters["randomcookie"];
// randomcookie is something like "abc123"
var js:String = "function get_cookie(){return document.cookie;}";
var cookies:String = ExternalInterface.call(js).toString();
// cookies looks like "abc123=def456; sessionid=ghi789; ..."
var alias:String = // strip out the "def456"
mynetconnection.call( "loginByAlias", alias, successFunc, failureFunc );

Which in turn access this pyamf gateway rpc:

from django.contrib.auth import SESSION_KEY, load_backend
from django.contrib.auth.models import User
from django.contrib import auth
from django.conf import settings
def loginByAlias( request, alias ):
  a = SessionAlias.objects.get( alias=alias )
  session_engine = __import__( settings.SESSION_ENGINE, {}, {}, [''] )
  session_wrapper = session_engine.SessionStore( a.session.session_key )
  user_id = session_wrapper.get( SESSION_KEY )
  user = User.objects.get( id=user_id )
  user.backend='django.contrib.auth.backends.ModelBackend'
  auth.login( request, user )
  a.delete()
  return whateverToFlash

And at that point, on the flash/flex side, that particular mynetconnection retains the session cookie state that can make future calls such that, inside the gateway, request.user is the properly-authenticated user that logged onto the webpage in the first place.

Note again that the run/debug settings for flex must use https, as well as the gateway settings for NetConnection. And when releasing this, I have to make sure that authenticated users stay on https.

Any further info from people would be appreciated, especially if there's real feedback on the security aspects of this...

回复 原文
千秋岁 2024-09-22 12:59:34

IE 不允许在本地开发中访问 c​​ookie,但如果您发布 SWF 并放置在域中,它应该像其他浏览器一样拾取会话。使用 Firefox 3.6 在本地构建您的 Flex 应用程序。

在 IE8、Firefox 中测试,使用 Flex 3 上的 pyamf 网关和 NetConnection。网关函数用@login_required修饰

IE doesn't give access to cookies in local development but if you publish the SWF and put on a domain, it should pickup the session just like ever other browser. Use Firefox 3.6 to build your flex apps locally.

Tested in IE8, Firefox using a pyamf gateway on Flex 3 with NetConnection. The gateway function was decorated with @login_required

回复 原文
~没有更多了~

关于作者

浅紫色的梦幻

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

1CH1MKgiKxn9p

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

JackDx

文章 0 评论 0

信远

文章 0 评论 0

yaoduoduo1995

文章 0 评论 0

霞映澄塘

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文