- 创建表
- 登陆与注册
- 登陆的html页面
- 设置urls
- 设置views
- 访问测试
- 配置管理页面
- 配置一个用户如果登陆成功即返回的页面,并设置欢迎语
- 判断是否登陆
- 直接获取客户端上的cookies
- 设置cookies
- 访问测试
- 输入错误的用户名密码
- 输入正确的用户名密码
- 查看cookie:
- 从数据库拿数据(用户名密码)
- Cookie
- 可设置多个键值对儿做为cookie
- cookie设置失效--max_age
- 设置超时 expires
- 即有max-age 也有expire
- 参数 "path:"/""对某个url是否生效,以及domain
- 参数 domain:
- 参数secure 是用于https传输的
- httponly
- 客户端设置cookie
- 加密的cookie
from django.db import models
# Create your models here.
class Classes(models.Model):
id = models.AutoField(primary_key=True)
caption = models.CharField(max_length=32)
def __str__(self):
return self.caption
class Teacher(models.Model):
id = models.AutoField(primary_key=True)
name = models.CharField(max_length=32)
username = models.CharField(max_length=32)
password = models.CharField(max_length=32)
cls = models.ManyToManyField("Classes")
def __str__(self):
return self.name
class Students(models.Model):
id = models.AutoField(primary_key=True)
name = models.CharField(max_length=32)
cls = models.ForeignKey(Classes,on_delete=models.CASCADE)
username = models.CharField(max_length=32)
password = models.CharField(max_length=32)
def __str__(self):
return self.name
== cls = models.ForeignKey(Classes,on_delete=models.CASCADE)==注意外键的时候现在需要加上on_delete
登陆与注册 登陆的html页面
用户登陆
//用于设置一个大的登陆框
文件内有相应的解释
设置urlsurlpatterns = [
path("index/",views.index),
path("login.html/",views.login),
]
设置views
def login(request):
print(request.method)
return render(request,"login.html")
访问测试
生成的csrf_token
后台管理
hello {{ username }}
urlpatterns = [
path("index/",views.index),
path("login.html/",views.login),
path("manage.html/",views.manage),
]
def manage(request):
username = "feihuang"
return render(request,"manage.html",{"username": username})
判断是否登陆
目标:如果用户已经登陆了,就直接返回到manage页面,如果没有登陆,则重新登陆
直接获取客户端上的cookiesdef manage(request):
print(request.COOKIES.get("csrftoken")) //d6XqUqkCSRCIiHQvhJUxNlxkyDGrwkYhKGfMtrCldrredqXax45DqJ8zTOI683Qa
username = "feihuang"
return render(request,"manage.html",{"username": username})
def manage(request):
username = request.COOKIES.get("username")
if username:
return render(request, "manage.html", {"username": username})
else:
return redirect("/classes/login.html")
#print(request.COOKIES.get("csrftoken")) //d6XqUqkCSRCIiHQvhJUxNlxkyDGrwkYhKGfMtrCldrredqXax45DqJ8zTOI683Qa
def login(request):
#models.Administrator.objects.create(name="admin",username="root",password="123123")
message = ""
if request.method == "POST":
username = request.POST.get("user")
password = request.POST.get("pwd")
print(username,password)
c = models.Administrator.objects.filter(Q(username=username) & Q(password=password))
print("c",c)
if c:
reply = redirect("/classes/manage.html")
reply.set_cookie("username", c[0] )
return reply
else:
message = "用户名密码输入错误,请重新输入。"
return render(request,"login.html",{"message":message})
用户登陆
加了下面一句
{{ message }}
def login(request):
#models.Administrator.objects.create(name="admin",username="root",password="123123")
message = ""
if request.method == "POST":
username = request.POST.get("user")
password = request.POST.get("pwd")
print(username,password)
c = models.Administrator.objects.filter(Q(username=username) & Q(password=password))
print("c",c)
if c:
reply = redirect("/classes/manage.html")
reply.set_cookie("username", c[0] )
return reply
else:
message = "用户名密码输入错误,请重新输入。"
return render(request,"login.html",{"message":message})
访问测试
输入错误的用户名密码
输入正确的用户名密码
查看cookie:
从数据库拿数据(用户名密码)
from django.shortcuts import render,HttpResponse,redirect
from Classes import models
from django.db.models import Q
def login(request):
#models.Administrator.objects.create(name="admin",username="root",password="123123")
message = ""
if request.method == "POST":
username = request.POST.get("user")
password = request.POST.get("pwd")
print(username,password)
c = models.Administrator.objects.filter(Q(username=username) & Q(password=password))
print("c",c)
if c:
reply = redirect("/classes/manage.html")
reply.set_cookie("username", c[0] )
return reply
else:
message = "用户名密码输入错误,请重新输入。"
return render(request,"login.html",{"message":message})
Cookie
- 就是保存在浏览器端的键值对儿,可以利用做登陆
- 保存在用户浏览器
- 可以主动清除(浏览器清除cookies)
- 也可以被伪造(浏览器可以覆盖写cookies)
- 跨域名的cookie是不共享的(哪怕访问的是同一个站点)
def login(request):
#models.Administrator.objects.create(name="admin",username="root",password="123123")
message = ""
if request.method == "POST":
username = request.POST.get("user")
password = request.POST.get("pwd")
print(username,password)
c = models.Administrator.objects.filter(Q(username=username) & Q(password=password))
print("c",c)
if c:
reply = redirect("/classes/manage.html")
reply.set_cookie("username", c[0] )
reply.set_cookie("name", c)
reply.set_cookie("location", "shanghai")
return reply
else:
message = "用户名密码输入错误,请重新输入。"
return render(request,"login.html",{"message":message})
cookie设置失效–max_age
def login(request):
#models.Administrator.objects.create(name="admin",username="root",password="123123")
message = ""
if request.method == "POST":
username = request.POST.get("user")
password = request.POST.get("pwd")
print(username,password)
c = models.Administrator.objects.filter(Q(username=username) & Q(password=password))
print("c",c)
if c:
reply = redirect("/classes/manage.html")
reply.set_cookie("username", c[0],max_age=10) #设置最大存活时间10s,相当于10s后需要重新认证
return reply
else:
message = "用户名密码输入错误,请重新输入。"
return render(request,"login.html",{"message":message})
reply.set_cookie(“username”, c[0],max_age=10) #设置最大存活时间10s,相当于10s后需要重新认证
这两个参数是一样的效果,expiresIE需要使用。
设置超时 expiresdef login(request):
#models.Administrator.objects.create(name="admin",username="root",password="123123")
message = ""
if request.method == "POST":
username = request.POST.get("user")
password = request.POST.get("pwd")
print(username,password)
c = models.Administrator.objects.filter(Q(username=username) & Q(password=password))
print("c",c)
if c:
import datetime
t = datetime.datetime.utcnow() + datetime.timedelta(seconds=10)
reply = redirect("/classes/manage.html")
reply.set_cookie("username", c[0],expires=t)
return reply
else:
message = "用户名密码输入错误,请重新输入。"
return render(request,"login.html",{"message":message})
即有max-age 也有expire
def login(request):
#models.Administrator.objects.create(name="admin",username="root",password="123123")
message = ""
if request.method == "POST":
username = request.POST.get("user")
password = request.POST.get("pwd")
print(username,password)
c = models.Administrator.objects.filter(Q(username=username) & Q(password=password))
print("c",c)
if c:
import datetime
t = datetime.datetime.utcnow() + datetime.timedelta(seconds=10)
reply = redirect("/classes/manage.html")
reply.set_cookie("username", c[0],max_age=15,expires=t)
return reply
else:
message = "用户名密码输入错误,请重新输入。"
return render(request,"login.html",{"message":message})
参数 “path:”/""对某个url是否生效,以及domain
源码
def set_cookie(
self,
key,
value="",
max_age=None,
expires=None,
path="/",
domain=None,
secure=False,
httponly=False,
samesite=None,
):
"""
Set a cookie.
``expires`` can be:
- a string in the correct format,
- a naive ``datetime.datetime`` object in UTC,
- an aware ``datetime.datetime`` object in any time zone.
If it is a ``datetime.datetime`` object then calculate ``max_age``.
"""
self.cookies[key] = value
if expires is not None:
if isinstance(expires, datetime.datetime):
if timezone.is_naive(expires):
expires = timezone.make_aware(expires, timezone.utc)
delta = expires - datetime.datetime.now(tz=timezone.utc)
# Add one second so the date matches exactly (a fraction of
# time gets lost between converting to a timedelta and
# then the date string).
delta = delta + datetime.timedelta(seconds=1)
# Just set max_age - the max_age logic will set expires.
expires = None
max_age = max(0, delta.days * 86400 + delta.seconds)
else:
self.cookies[key]["expires"] = expires
else:
self.cookies[key]["expires"] = ""
if max_age is not None:
self.cookies[key]["max-age"] = int(max_age)
# IE requires expires, so set it if hasn't been already.
if not expires:
self.cookies[key]["expires"] = http_date(time.time() + max_age)
if path is not None:
self.cookies[key]["path"] = path
if domain is not None:
self.cookies[key]["domain"] = domain
if secure:
self.cookies[key]["secure"] = True
if httponly:
self.cookies[key]["httponly"] = True
if samesite:
if samesite.lower() not in ("lax", "none", "strict"):
raise ValueError('samesite must be "lax", "none", or "strict".')
self.cookies[key]["samesite"] = samesite
- / 表示全局,所有的url有效
- /xxxx/ 表示,只有当前url生效
默认情况下,当前访问页面只对当前有效,即便 是同一个网站换个域名也不能访问。比如访问www.for-best.cn设置的cookie,在mail.for-best.cn是可以直接使用的,但是可以设备domain后是可以限制使用的。通常如果需要使用的时候直接配置在一级域名,这样可以跨二级域名使用。
reply.set_cookie("username", c[0],max_age=15,expires=t,domain="for-best.cn")
另外不能给别的域名设置cookies
参数secure 是用于https传输的 httponly reply.set_cookie("username", c[0],max_age=15,expires=t,domain="for-best.cn",httponly=True)
意思是只让从http进行获取cookie,如果想通过其它方式进行获取的话,不让获取。
客户端设置cookiedocument.cookie "csrftoken=d6XqUqkCSRCIiHQvhJUxNlxkyDGrwkYhKGfMtrCldrredqXax45DqJ8zTOI683Qa" document.cookie = "k1 = v1" 由于 Cookie “k1”的“SameSite”属性设置为“None”或无效值,但缺少“Secure”属性,此 Cookie 未来将被拒绝。若要了解“SameSite“的更多信息,请参阅:https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite debugger eval code:1 "k1 = v1"
可以设置cookie
加密的cookie reply = redirect("/classes/manage.html")
reply.set_signed_cookie("username", c[0],max_age=15,expires=t,httponly=True)
reply.set_signed_cookie("k1", "v1",max_age=15,expires=t,httponly=True)
reply.set_signed_cookie("k2", "v2",max_age=15,expires=t,httponly=True)
username = request.get_signed_cookie("username")
这样只能说比以前好一点,还是有敏感信息。
### 一定要使用cookie的好方案
使用cokie时做认证时,将不敏感的信息放在cookie中,频繁操作数据库,这样数据库的压力会变大
