yumoqing/ahserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bugfix

Browse Source
This commit is contained in:
yumoqing 2026-04-09 17:26:28 +08:00
parent ba302ae1c9
commit 04c6195720
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ahserver/auth_api.py
View File

@ -102,12 +102,22 @@ class AuthAPI:
b = str(self.conf.website.port).encode('utf-8') b = str(self.conf.website.port).encode('utf-8')
cnt = 32 - len(b) cnt = 32 - len(b)
secret = b + b'iqwertyuiopasdfghjklzxcvbnm12345'[:cnt] secret = b + b'iqwertyuiopasdfghjklzxcvbnm12345'[:cnt]
storage = EncryptedCookieStorage(secret) storage = EncryptedCookieStorage(secret,
secure=True, # <--- 核心:生产环境 HTTPS 必须为 True
samesite='None', # <--- 核心:跨域必须为 None
httponly=True, # 安全建议:防止 XSS 攻击
max_age=24*60*60
)
if self.conf.website.session_redis: if self.conf.website.session_redis:
url = self.conf.website.session_redis.url url = self.conf.website.session_redis.url
# redis = await aioredis.from_url("redis://127.0.0.1:6379") # redis = await aioredis.from_url("redis://127.0.0.1:6379")
redisdb = await redis.Redis.from_url(url) redisdb = await redis.Redis.from_url(url)
storage = MyRedisStorage(redisdb) storage = MyRedisStorage(redisdb,
secure=True, # <--- 核心:生产环境 HTTPS 必须为 True
samesite='None', # <--- 核心:跨域必须为 None
httponly=True, # 安全建议:防止 XSS 攻击
max_age=24*60*60
)
aiohttp_session.setup(app, storage) aiohttp_session.setup(app, storage)
# Create an auth ticket mechanism that expires after 1 minute (60 # Create an auth ticket mechanism that expires after 1 minute (60