Django中间件之SessionMiddleware源码分析
settings.py文件中
MIDDLEWARE = [
'django.contrib.sessions.middleware.SessionMiddleware',
]
# from django.contrib.sessions.middleware import SessionMiddleware
# ctrl+鼠标左击进入SessionMiddleware
class SessionMiddleware(MiddlewareMixin):
def __init__(self, get_response=None):
xxx
def process_request(self, request):
xxx
def process_response(self, request, response):
xxx
注释:xxx代表省略。这里实现的两个方法:process_request和process_response两个方法是Django中间件里面可以实现的5个方法中的两个。
# 初始化方法
def __init__(self, get_response=None):
self.get_response = get_response
engine = import_module(settings.SESSION_ENGINE)
self.SessionStore = engine.SessionStore
这里的初始化方法,首先将None赋值给了一个变量,engine其实是赋值了一个db对象。跟踪进settings发现了一个LazySettings对象,它没有SESSION_ENGINE变量,在它的的父类LazyObject也没有此变量,再来详细看一看LazySettings:
def _setup(self, name=None):
"""
Load the settings module pointed to by the environment variable. This
is used the first time we need any settings at all, if the user has not
previously configured the settings manually.
"""
settings_module = os.environ.get(ENVIRONMENT_VARIABLE)
if not settings_module:
desc = ("setting %s" % name) if name else "settings"
raise ImproperlyConfigured(
"Requested %s, but settings are not configured. "
"You must either define the environment variable %s "
"or call settings.configure() before accessing settings."
% (desc, ENVIRONMENT_VARIABLE))
self._wrapped = Settings(settings_module)
进入Settings对象:
class Settings(object):
def __init__(self, settings_module):
# update this dict from global settings (but only for ALL_CAPS settings)
for setting in dir(global_settings):
if setting.isupper():
setattr(self, setting, getattr(global_settings, setting))
# store the settings module in case someone later cares
self.SETTINGS_MODULE = settings_module
mod = importlib.import_module(self.SETTINGS_MODULE)
tuple_settings = (
"INSTALLED_APPS",
"TEMPLATE_DIRS",
"LOCALE_PATHS",
)
self._explicit_settings = set()
for setting in dir(mod):
if setting.isupper():
setting_value = getattr(mod, setting)
if (setting in tuple_settings and
not isinstance(setting_value, (list, tuple))):
raise ImproperlyConfigured("The %s setting must be a list or a tuple. " % setting)
setattr(self, setting, setting_value)
self._explicit_settings.add(setting)
# xxxxxxxxxx省略
注意到有一个global_settings变量,跟踪发现其实是一个py文件,它里面定义了一种初始化变量,类似于settings一样。在这里终于发现SESSION_ENGINE:SESSION_ENGINE = 'django.contrib.sessions.backends.db'。这就是一个操纵数据库的文件。
这里的代码主要是进行各种设置,以后为了进行settings这种操作。这里可以看到,大量使用了getattr和setattr这种自省操作。
回到SessionMiddleware,看看import_module
def import_module(name, package=None):
level = 0
if name.startswith('.'):
if not package:
msg = ("the 'package' argument is required to perform a relative "
"import for {!r}")
raise TypeError(msg.format(name))
for character in name:
if character != '.':
break
level += 1
return _bootstrap._gcd_import(name[level:], package, level)
这里主要是通过字符串标识的路径来导入该模块或其下的方法(属性)。
还有一个SessionStore,它是一个类,主要是为了进行session的操作。
看一看process_request:
def process_request(self, request):
session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
request.session = self.SessionStore(session_key)
process_request在收到request之后,未解析url之前进行。
这里session_key主要就是在cookis中取出sessionid。其实SESSION_COOKIE_NAME是在上面提到的global_settings.py中定义的:SESSION_COOKIE_NAME = 'sessionid'。我们以后任何设置都可以在这里找到原型。
session是一个SessionStore对象。进入(from django.contrib.sessions.backends import db 进入):
class SessionStore(SessionBase):
def __init__(self, session_key=None):
super(SessionStore, self).__init__(session_key)
紧接着进入:SessionBase
class SessionBase(object):
TEST_COOKIE_NAME = 'testcookie'
TEST_COOKIE_VALUE = 'worked'
__not_given = object()
def __init__(self, session_key=None):
self._session_key = session_key
self.accessed = False
self.modified = False
self.serializer = import_string(settings.SESSION_SERIALIZER)
这里主要进行了赋值,注意到SESSION_SERIALIZER,在global_settings.py中找到:SESSION_SERIALIZER = 'django.contrib.sessions.serializers.JSONSerializer'。如果你用过drf的话,那么对这个serializers一定熟悉,就是做序列化的。
在设置session的时候通常认为它就是一个字典,可以进行字典赋值。字典的赋值调用__setitem__方法,获取__getitem__方法。
def __getitem__(self, key):
return self._session[key]
def _get_session(self, no_load=False):
self.accessed = True
try:
return self._session_cache
except AttributeError:
if self.session_key is None or no_load:
self._session_cache = {}
else:
self._session_cache = self.load()
return self._session_cache
_session = property(_get_session)
可以看到这里运用了property,就是将一个方法变为属性来操作的装饰器。第一次访问服务器时_session_cache没有这个变量,然后session_key也是空的,no_load是False,所以初始化一个self._session_cache = {}。这里总体来说,如果你第一次访问服务器,那么创建一个session的字典。
再来看一看__setitem__:
def __setitem__(self, key, value):
self._session[key] = value
self.modified = True
def _get_session(self, no_load=False):
self.accessed = True
try:
return self._session_cache
except AttributeError:
if self.session_key is None or no_load:
self._session_cache = {}
else:
self._session_cache = self.load()
return self._session_cache
_session = property(_get_session)
这里与上面变化不大,如果是赋值的时候,那么_session_cache已经存在,直接赋值即可。
注意这里还没有保存到数据库中。
再来看一看process_response
def process_response(self, request, response):
"""
If request.session was modified, or if the configuration is to save the
session every time, save the changes and set a session cookie or delete
the session cookie if the session has been emptied.
"""
try:
accessed = request.session.accessed
modified = request.session.modified
empty = request.session.is_empty()
except AttributeError:
pass
else:
# First check if we need to delete this cookie.
# The session should be deleted only if the session is entirely empty
if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
response.delete_cookie(
settings.SESSION_COOKIE_NAME,
path=settings.SESSION_COOKIE_PATH,
domain=settings.SESSION_COOKIE_DOMAIN,
)
else:
if accessed:
patch_vary_headers(response, ('Cookie',))
if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:
if request.session.get_expire_at_browser_close():
max_age = None
expires = None
else:
max_age = request.session.get_expiry_age()
expires_time = time.time() + max_age
expires = cookie_date(expires_time)
# Save the session data and refresh the client cookie.
# Skip session save for 500 responses, refs #3881.
if response.status_code != 500:
try:
request.session.save()
except UpdateError:
raise SuspiciousOperation(
"The request's session was deleted before the "
"request completed. The user may have logged "
"out in a concurrent request, for example."
)
response.set_cookie(
settings.SESSION_COOKIE_NAME,
request.session.session_key, max_age=max_age,
expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
path=settings.SESSION_COOKIE_PATH,
secure=settings.SESSION_COOKIE_SECURE or None,
httponly=settings.SESSION_COOKIE_HTTPONLY or None,
)
return response
主要是在执行视图函数之后返回Response后调用的,进行一些session的返回等。
首先进行赋值:accessed,modified这两个值在之前设置为True。这里empty:
def is_empty(self):
"Returns True when there is no session_key and the session is empty"
try:
return not bool(self._session_key) and not self._session_cache
except AttributeError:
return True
意思就是当没有session_key且session是空的时候为True,之后进行了一些cookie的设置以及向response写入了一些东西。接着在process_response里面我们发现了一个重要的操作:
request.session.save()
我们知道session是一个SessionStore对象,所以我们就到那里去寻找save操作:
def save(self, must_create=False):
"""
Saves the current session data to the database. If 'must_create' is
True, a database error will be raised if the saving operation doesn't
create a *new* entry (as opposed to possibly updating an existing
entry).
"""
if self.session_key is None:
return self.create()
data = self._get_session(no_load=must_create)
obj = self.create_model_instance(data)
using = router.db_for_write(self.model, instance=obj)
try:
with transaction.atomic(using=using):
obj.save(force_insert=must_create, force_update=not must_create, using=using)
except IntegrityError:
if must_create:
raise CreateError
raise
except DatabaseError:
if not must_create:
raise UpdateError
raise
这里主要进行session的持久化保存,就是保存到数据库。
浏览器第一次访问不会携带session。这里第一次会执行return self.create(),进入create()
def create(self):
while True:
self._session_key = self._get_new_session_key()
try:
# Save immediately to ensure we have a unique entry in the
# database.
self.save(must_create=True)
except CreateError:
# Key wasn't unique. Try again.
continue
self.modified = True
return
这里进行了唯一性判断,_session_key保证不重复。然后进入_get_new_session_key():
def _get_new_session_key(self):
"Returns session key that isn't being used."
while True:
session_key = get_random_string(32, VALID_KEY_CHARS)
if not self.exists(session_key):
break
return session_key
和create()一致,进入get_random_string():
def get_random_string(length=12,
allowed_chars='abcdefghijklmnopqrstuvwxyz'
'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'):
"""
Returns a securely generated random string.
The default length of 12 with the a-z, A-Z, 0-9 character set returns
a 71-bit value. log_2((26+26+10)^12) =~ 71 bits
"""
if not using_sysrandom:
# This is ugly, and a hack, but it makes things better than
# the alternative of predictability. This re-seeds the PRNG
# using a value that is hard for an attacker to predict, every
# time a random string is required. This may change the
# properties of the chosen random sequence slightly, but this
# is better than absolute predictability.
random.seed(
hashlib.sha256(
("%s%s%s" % (
random.getstate(),
time.time(),
settings.SECRET_KEY)).encode('utf-8')
).digest())
return ''.join(random.choice(allowed_chars) for i in range(length))
这里使用了hashlib模块用sha256进行了加密,包括字符,时间以及settings.py文件中的那个SECRET_KEY。所以那个变量非常重要,千万不要外泄。
创建完成之后,在create函数中会保存,即执行save()函数,跟上面一样:
def save(self, must_create=False):
"""
Saves the current session data to the database. If 'must_create' is
True, a database error will be raised if the saving operation doesn't
create a *new* entry (as opposed to possibly updating an existing
entry).
"""
if self.session_key is None:
return self.create()
data = self._get_session(no_load=must_create)
obj = self.create_model_instance(data)
using = router.db_for_write(self.model, instance=obj)
try:
with transaction.atomic(using=using):
obj.save(force_insert=must_create, force_update=not must_create, using=using)
except IntegrityError:
if must_create:
raise CreateError
raise
except DatabaseError:
if not must_create:
raise UpdateError
raise
这次就if不通过,然后进入_get_session:
def _get_session(self, no_load=False):
"""
Lazily loads session from storage (unless "no_load" is True, when only
an empty dict is stored) and stores it in the current instance.
"""
self.accessed = True
try:
return self._session_cache
except AttributeError:
if self.session_key is None or no_load:
self._session_cache = {}
else:
self._session_cache = self.load()
return self._session_cache
它里面主要是判断session是否缓存了,如果缓存直接返回缓存数据,如果没有,那么构造一个_session_cache字典。返回,进入create_model_instance:
def create_model_instance(self, data):
"""
Return a new instance of the session model object, which represents the
current session state. Intended to be used for saving the session data
to the database.
"""
return self.model(
session_key=self._get_or_create_session_key(),
session_data=self.encode(data),
expire_date=self.get_expiry_date(),
)
返回一个model,进入model()函数:
@cached_property
def model(self):
return self.get_model_class()
进入get_model_class()函数,跟进去之后发现它导入了一个Session对象:
@classmethod
def get_model_class(cls):
# Avoids a circular import and allows importing SessionStore when
# django.contrib.sessions is not in INSTALLED_APPS.
from django.contrib.sessions.models import Session
return Session
class Session(AbstractBaseSession):
"""
Django provides full support for anonymous sessions. The session
framework lets you store and retrieve arbitrary data on a
per-site-visitor basis. It stores data on the server side and
abstracts the sending and receiving of cookies. Cookies contain a
session ID -- not the data itself.
The Django sessions framework is entirely cookie-based. It does
not fall back to putting session IDs in URLs. This is an intentional
design decision. Not only does that behavior make URLs ugly, it makes
your site vulnerable to session-ID theft via the "Referer" header.
For complete documentation on using Sessions in your code, consult
the sessions documentation that is shipped with Django (also available
on the Django Web site).
"""
objects = SessionManager()
@classmethod
def get_session_store_class(cls):
from django.contrib.sessions.backends.db import SessionStore
return SessionStore
class Meta(AbstractBaseSession.Meta):
db_table = 'django_session'
注意底下的 db_table = 'django_session`,它就是在数据库中表的名称。它继承了父类的一些东西。
之后返回到save()方法:
def save(self, must_create=False):
"""
Saves the current session data to the database. If 'must_create' is
True, a database error will be raised if the saving operation doesn't
create a *new* entry (as opposed to possibly updating an existing
entry).
"""
if self.session_key is None:
return self.create()
data = self._get_session(no_load=must_create)
obj = self.create_model_instance(data)
using = router.db_for_write(self.model, instance=obj)
try:
with transaction.atomic(using=using):
obj.save(force_insert=must_create, force_update=not must_create, using=using)
except IntegrityError:
if must_create:
raise CreateError
raise
except DatabaseError:
if not must_create:
raise UpdateError
raise
进入db_for_write是查找数据库的代码。这一块暂时停一下。接着就开始数据库的事务操作了,确保正确将 session 存入数据库。
Django中间件之SessionMiddleware源码分析的更多相关文章
- Django之REST framework源码分析
前言: Django REST framework,是1个基于Django搭建 REST风格API的框架: 1.什么是API呢? API就是访问即可获取数据的url地址,下面是一个最简单的 Djang ...
- Python学习---Django的request.post源码分析
request.post源码分析: 可以看到传递json后会帮我们dumps处理一次最后一字节形式传递过去
- Django rest framework 版本控制(源码分析)
基于上述分析 #2.处理版本信息 处理认证信息 处理权限信息 对用户的访问频率进行限制 self.initial(request, *args, **kwargs) #2.1处理版本信息 #versi ...
- SessionMiddleware源码分析
settings.py文件中 MIDDLEWARE = [ 'django.contrib.sessions.middleware.SessionMiddleware', ] # from djang ...
- Django _VIEW视图_源码分析
Django _VIEW视图: 1. 点击as_view方法. 第二步: as_view () 为VIEW 类里定义的,到时候我们定义业务逻辑的类就继承这个VIEW类. view方法内返回的是disp ...
- Django之CBV视图源码分析(工作原理)
1.首先我们先在urls.py定义CBV的路由匹配. FBV的路由匹配: 2.然后,在views.py创建一名为MyReg的类: 注意:该类必须继续View类,且方法名必须与请求方式相同(后面会详解) ...
- Django_Restframwork_APIVIEW视图_源码分析
Django _VIEW视图_源码分析
- Django中间件部分源码分析
中间件源码分析 中间件简介 中间件是一个用来处理Django的请求和响应的框架级别的钩子.它是一个轻量.低级别的插件系统,用于在全局范围内改变Django的输入和输出.每个中间件组件都负责做一些特定的 ...
- Django rest framework源码分析(一) 认证
一.基础 最近正好有机会去写一些可视化的东西,就想着前后端分离,想使用django rest framework写一些,顺便复习一下django rest framework的知识,只是顺便哦,好吧. ...
随机推荐
- Jmeter系列(49)- 详解 HTTP Cookie 管理器
如果你想从头学习Jmeter,可以看看这个系列的文章哦 https://www.cnblogs.com/poloyy/category/1746599.html 简单介绍 功能一 首先,它像网络浏览器 ...
- 源码解析JDK1.8-HashMap链表成环的问题解决方案
前言 上篇文章详解介绍了HashMap在JDK1.7版本中链表成环的原因,今天介绍下JDK1.8针对HashMap线程安全问题的解决方案. jdk1.8 扩容源码解析 public class Has ...
- openvswitch ovs-appctl 使用
参考链接:https://www.cnblogs.com/zqyanywn/p/10501590.html 1. fdb/show bridge 列出指定桥上每个MAC直至与VLAN的对应信息,并且包 ...
- RSA加密算法和SSH远程连接服务器
服务器端与客户端的密钥系统不一样,称为非对称式密钥系统 RSA算法的基础是模运算x mod n,事实上: [(a mod n) + (b mod n)] mod n = (a+b) mod n [(a ...
- you-get 下载B站上的视频
安装you-get pip install you-get 安装好后,我们可以查看一下you-get的参数 you-get -h 视频下载 单个视频下载 CMD下载 you-get -o /data/ ...
- Locust性能测试2--登录示例
无论是做接口自动化还是做压测,解决了登录就离成功进步了一大半,下面做个简单的登录案例,后续再说下数据依赖及参数化等问题 1. 登录 登录示例 from locust import HttpUser, ...
- Java多线程_ThreadLocal
用法:ThreadLocal用于保存某个线程共享变量:对于同一个static ThreadLocal,不同线程只能从中get,set,remove自己的变量,而不会影响其他线程的变量. ThreadL ...
- Erlang中的宏定义应该在什么时候用
读<Erlang OTP并发编程实战>中看到这么一句话,遂做笔记以记录: 宏不是函数的替代品,当你所需的抽象无法用普通函数来实现时,宏给出了一条生路,比如,必须确保在编译期展开某些代码的时 ...
- 企业网站SEO如何选择关键词
http://www.wocaoseo.com/thread-17-1-1.html 企业网站的关键词应该如何去选择?有很多的企业老板在网上某某企业在网上做了一个网站,一天盈利多少后,觉得 ...
- tars 问题汇总
1. 节点 ip地址变了如何解决.后台不可以改. 2. [ok] 服务如何在本地运行../HelloGo --config.conf