前言

Cookie和Session相信對(duì)大家來說并不陌生，簡(jiǎn)單來說，Cookie和Session都是為了記錄用戶相關(guān)信息的方式，最大的區(qū)別就是Cookie在客戶端記錄而Session在服務(wù)端記錄內(nèi)容。

那么Cookie和Session之間的聯(lián)系是怎么建立的呢？換言之，當(dāng)服務(wù)器接收到一個(gè)請(qǐng)求時(shí)候，根據(jù)什么來判斷讀取哪個(gè)Session的呢？

對(duì)于Django默認(rèn)情況來說，當(dāng)用戶登錄后就可以發(fā)現(xiàn)Cookie里有一個(gè)sessionid的字段，根據(jù)這個(gè)key就可以取得在服務(wù)器端記錄的詳細(xì)內(nèi)容。如果將這個(gè)字段刪除，刷新頁面就會(huì)發(fā)現(xiàn)變成未登錄狀態(tài)了。

對(duì)于Session的處理主要在源碼django/contrib/sessions/middleware.py中，如下所示：

import timefrom importlib import import_modulefrom django.conf import settingsfrom django.contrib.sessions.backends.base import UpdateErrorfrom django.core.exceptions import SuspiciousOperationfrom django.utils.cache import patch_vary_headersfrom django.utils.deprecation import MiddlewareMixinfrom django.utils.http import cookie_dateclass SessionMiddleware(MiddlewareMixin): def __init__(self, get_response=None):  self.get_response = get_response  engine = import_module(settings.SESSION_ENGINE)  self.SessionStore = engine.SessionStore def process_request(self, request):  session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)  request.session = self.SessionStore(session_key) def process_response(self, request, response):  """  If request.session was modified, or if the configuration is to save the  session every time, save the changes and set a session cookie or delete  the session cookie if the session has been emptied.  """  try:   accessed = request.session.accessed   modified = request.session.modified   empty = request.session.is_empty()  except AttributeError:   pass  else:   # First check if we need to delete this cookie.   # The session should be deleted only if the session is entirely empty   if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:    response.delete_cookie(     settings.SESSION_COOKIE_NAME,     path=settings.SESSION_COOKIE_PATH,     domain=settings.SESSION_COOKIE_DOMAIN,    )   else:    if accessed:     patch_vary_headers(response, ('Cookie',))    if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:     if request.session.get_expire_at_browser_close():      max_age = None      expires = None     else:      max_age = request.session.get_expiry_age()      expires_time = time.time() + max_age      expires = cookie_date(expires_time)     # Save the session data and refresh the client cookie.     # Skip session save for 500 responses, refs #3881.     if response.status_code != 500:      try:       request.session.save()      except UpdateError:       raise SuspiciousOperation(        "The request's session was deleted before the "        "request completed. The user may have logged "        "out in a concurrent request, for example."       )      response.set_cookie(       settings.SESSION_COOKIE_NAME,       request.session.session_key, max_age=max_age,       expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,       path=settings.SESSION_COOKIE_PATH,       secure=settings.SESSION_COOKIE_SECURE or None,       httponly=settings.SESSION_COOKIE_HTTPONLY or None,      )  return response