在基于cookie的会话存储的Rails中，会话和cookie是同一回事 [英] In Rails, with cookie-based session store, are session and cookies the same thing

问题描述

我一直在使用基于cookie的会话存储，甚至从未听说过 Cookies 到现在为止.那么在任何情况下我都需要Cookie哈希吗?

I've always been using the cookie-based session store, and never even knew about Cookies until now. So is there any situation where I'd need the cookies hash?

推荐答案

cookie哈希在Rails应用程序中绝对有价值. 您应该使用Cookie在会话之间要记住的客户端存储值.

The cookies hash definitely has value in Rails apps. You should use cookies to store values on the client side that you want to remember between sessions.

记住我"令牌就是一个很好的例子.如果您想允许用户在访问您的网站时自动登录，只需存储具有一些用户防篡改值的持久性cookie(例如映射到数据库中该用户行的唯一哈希或guid(良好))，就像仅使用普通的旧整数用户ID(错误)一样，是无法入侵的.然后，当用户访问您的网站时，您可以检查cookie哈希以获取记住我"令牌，如果找到该令牌，则可以在数据库中进行查找，如果找到匹配项，则将用户登录.这是很常见的做法.

A 'remember me' token is a great example. If you want to allow a user to be auto logged in when they visit your site, just store a persistent cookie with some user tamper-proof value (like a unique hash or guid (good) that maps to that user's row in your db but isn't hackable like just using a plain old integer user id (bad)). Then, when a user visits your site, you can check the cookies hash for a remember me token and, if found, do a lookup in your db and log the user in if a match is found. This is a very common practice.

如果您需要/想要在客户端Cookie中存储纯文本值，但又不想让用户能够使用这些值，则只需将该值的哈希值存储在伴随Cookie中，然后对哈希值加盐用户不知道的一些值.然后，您只需要计算从客户端Cookie接收到的纯文本值的盐化哈希值，并将其与同样从客户端Cookie传递来的哈希值进行比较即可.如果它们匹配，则可以信任它.

If you need/want to store plaintext values in the client side cookie, but don't want the user to be able to futz with the values, just store a hash of that value in a companion cookie and salt the hash with some value unknown to the user. Then you just need to compute the salted hash of the plaintext value received from the client cookie and compare it against the hashed value also passed from the client cookie. If they match, you can trust it.

这篇关于在基于cookie的会话存储的Rails中，会话和cookie是同一回事的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！