Cookie 与会话 [英] Cookies vs. sessions
问题描述
我几个月前开始使用 PHP.为了为我的网站创建登录系统,我阅读了有关 cookie 和会话及其差异的信息(cookie 存储在用户的浏览器中,而会话存储在服务器上).那时,我更喜欢 cookie(谁不喜欢 cookie?!),只是说:谁在乎?我没有任何好处将它存储在我的服务器中",所以,我继续使用 cookie我的本科毕业设计.然而,在完成我的应用程序的大部分之后,我听说对于存储用户 ID 的特殊情况,会话更合适.所以我开始考虑如果陪审团问我为什么用cookies而不是sessions,我会说什么?我有这个原因(我不需要在内部存储有关用户的信息).这足以作为理由吗?或者不止于此?
您能告诉我使用cookies来保存用户ID的优点/缺点吗?
I started using PHP a couple of months ago. For the sake of creating a login system for my website, I read about cookies and sessions and their differences (cookies are stored in the user's browser and sessions on the server). At that time, I preferred cookies (and who does not like cookies?!) and just said: "who cares? I don't have any good deal with storing it in my server", so, I went ahead and used cookies for my bachelor graduation project. However, after doin' the big part of my app, I heard that for the particular case of storing user's ID, sessions are more appropriate. So I started thinking about what would I say if the jury asks me why have you used cookies instead of sessions? I have just that reason (that I do not need to store internally information about the user). Is that enough as a reason? or it's more than that?
Could you please tell me about advantages/disadvantages of using cookies for keeping User's ID?
感谢 StackOverflow 中的所有人!
Thanks for you all in StackOverflow!
推荐答案
这个概念是为 Web 访问者存储跨页面加载的持久数据.Cookie 将其直接存储在客户端上.会话使用 cookie 作为某种键,与存储在服务器端的数据相关联.
The concept is storing persistent data across page loads for a web visitor. Cookies store it directly on the client. Sessions use a cookie as a key of sorts, to associate with the data that is stored on the server side.
最好使用会话,因为实际值对客户端是隐藏的,并且您可以控制数据何时过期和无效.如果这一切都基于 cookie,则用户(或黑客)可以操纵他们的 cookie 数据,然后向您的网站播放请求.
It is preferred to use sessions because the actual values are hidden from the client, and you control when the data expires and becomes invalid. If it was all based on cookies, a user (or hacker) could manipulate their cookie data and then play requests to your site.
除了简单之外,我认为使用 cookie 没有任何优势.这样看……用户有什么理由知道他们的ID#?通常我会说不,用户不需要这些信息.应在需要知道的基础上限制提供信息.如果用户将他的 cookie 更改为具有不同的 ID,您的应用程序将如何响应?这是一个安全风险.
I don't think there is any advantage to using cookies, other than simplicity. Look at it this way... Does the user have any reason to know their ID#? Typically I would say no, the user has no need for this information. Giving out information should be limited on a need to know basis. What if the user changes his cookie to have a different ID, how will your application respond? It's a security risk.
在会话风靡一时之前,我基本上有自己的实现.我在客户端存储了一个唯一的 cookie 值,并将我的持久数据与该 cookie 值一起存储在数据库中.然后在页面请求中,我匹配了这些值并拥有我的持久数据,而不让客户端控制那是什么.
Before sessions were all the rage, I basically had my own implementation. I stored a unique cookie value on the client, and stored my persistent data in the database along with that cookie value. Then on page requests I matched up those values and had my persistent data without letting the client control what that was.
这篇关于Cookie 与会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
