


I recently built a Django-based authentication system using a tutorial. Within this System I created a token within a forms.py. This Token is then send (as a link) in an activation activation mail.

from django.contrib.auth.tokens import default_token_generator
token = default_token_generator.make_token(user)


The view which receives the get request matches the token and the user-id supplied in this link and checks the token using:

default_token_generator.check_token(user, token)

这将验证令牌是通过我的网站发送的。但是我不明白这个过程。令牌是唯一的,但我似乎没有将令牌保存在某个地方?那么 check_token()如何验证令牌?

This verifies that the token was sent though my site. But I don't understand the process. The token is unique but I don't seem to save the token somewhere? So how does check_token()verify the token?


令牌由时间戳和HMAC值组成。 HMAC是带键的哈希函数:哈希使用秘密密钥(默认情况下为 settings.SECRET_KEY )来获取唯一值,但是无论是否使用该密钥, unhashing都是不可能的。

A token consist of a timestamp and a HMAC value. HMAC is a keyed hashing function: hashing uses a secret key (by default settings.SECRET_KEY) to get a unique value, but "unhashing" is impossible with or without the key.


  • 用户的主键。

  • 用户的哈希密码。

  • 用户的上次登录时间戳。

  • 当前时间戳。

  • The user's primary key.
  • The user's hashed password.
  • The user's last login timestamp.
  • The current timestamp.


The token then consists of the current timestamp and the hash of these four values. The first three values are already in the database, and the fourth value is part of the token, so Django can verify the token at any time.


By including the user's hashed password and last login timestamp in the hash, a token is automatically invalidated when the user logs in or changes their password. The current timestamp is also checked to see if the token has expired. Note that even though the current timestamp is included in the token (as a base36 encoded string), if an attacker changes the value, the hash changes as well and the token is rejected.


07-28 04:20