Web身份验证状态-会话还是Cookie? [英] Web authentication state - Session vs Cookie?

问题描述

在页面之间进行身份验证和跟踪用户身份验证状态的最佳方法是什么?有人说会话状态，有人说饼干?

What's the best way to authenticate and track user authentication state from page to page? Some say session state, some say cookies?

我能否仅使用具有用户ID的会话变量，并在身份验证后将具有用户信息的自定义User类实例化.然后，在每个页面上，验证会话变量是否仍处于活动状态，并从User对象访问基本用户数据?

Could I just use a session variable that has the ID of the user and upon authentication, instatiate a custom User class that has the User's information. Then, on every page, verify the session variable is still active and access basic user data from the User object?

有什么想法吗?有什么好的例子吗?

Any thoughts? Any good examples?

推荐答案

没有完美的方法.如果将其存储在Cookie中，您将不敢相信Cookie可能会被盗.如果将其存储在会话中，您将大吃一惊，因为会话可能会被劫持.

There's no perfect way to do it. If you store it in a cookie you'll take flak that cookies can be stolen. If you store it in the session you'll take flak because sessions can be hijacked.

就个人而言，我倾向于认为会话更为可靠，因为存储在客户端上的唯一内容是会话密钥.实际数据保留在服务器上.如果可以的话，它会将牌打得更靠近胸部.但是，这只是我的偏爱，而且无论如何，一个好的黑客都将能够摆脱伪劣的安全性.

Personally, I tend to think a session is a little more reliable because the only thing stored on the client is a session key. The actual data remains on the server. It plays the cards a little closer to the chest, if you will. However, that's just my preference, and a good hacker would be able to get past shoddy security regardless.

无论您做什么，都不要尝试自己实现.你会弄错的.使用您的特定平台提供的身份验证系统.您还需要确保您有足够的安全预防措施来保护身份验证令牌.

No matter what you do, don't try to implement this yourself. You'll get it wrong. Use the authentication system provided by your specific platform. You also need to make sure you have adequate security precautions protecting the authentication token.

这篇关于Web身份验证状态-会话还是Cookie?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！