玩框架如何会话和Cookie的工作？ [英] Play framework how do sessions and cookies work?

问题描述

如何玩验证的cookie？

• 我注意到，我重新启动服务器后，我仍然登录，即使我
  不要presist数据库中的任何会话数据。
  


• 我也注意到
  我可以在服务器上设置的日期是该exipry较大
  Cookie的日期，仍然我登录。
  


• 我注销
  （保存在cookie来一个文本文件）和浏览器失去了饼干。然后我
  重新从文本文件中的cookie和我再次登录。

该Cookie如下：

PLAY_SESSION = e6443c88da7xxxxxxxxxxxxxxxxxxxxxxxxxxxxx，用户ID％3A1

  //我注销code
高清注销（）= {行动
  OK（）。withNewSession
}
 

---

从文档结果
弃整个会议结果
还有就是放弃整个会议特别行动：

 确定（再见）。withNewSession
 

解决方案

您没有指定你怎么验证用户身份，所以我只是猜测，你;再通过简单的示例是简单的...

它使用用户ID来识别用户，并检查是否签订会话cookie没有操纵，因此，如果你重新创建具有正确签名的cookie它会仍然有效。

您应该创建会话的服务器端，即一些关键领域。在DB或内存缓存（这将是比DB更快）。其主要应随机生成（和preferebly相当长的）每次成功登录的行动，并应包含数据识别用户，到期日期等。接下来，你应该把这个随机 sess_key 来播放的，而不是会话记录用户或他DB行ID的电子邮件地址，注销和/或到期后应将其删除。在这种情况下，即使你失去cookie的注销后，就不可能与非esixting正常登录 sess_key 。

AFAIR标准内存高速缓存将在应用程序每次重新启动被清除，以确保所有的 sess_keys 从数据库也将被删除，你可以使用的Global对象并截断表在onStart（...）方法。

How does play validate a cookie?

• I noticed that after I restarted the server I was still logged in even though I don't presist any session data in the database.
  
• I also noticed that I could set the date on the server to be larger that the exipry date of the cookie and still I was logged in.
  
• I logged out (saved the cookie to a text file) and the browser lost the cookie. Then I recreated the cookie from the text file and I was logged in again.

The cookie looks like this:

PLAY_SESSION=e6443c88da7xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-userid%3A1

// My logout code
def logout() = Action {
  Ok("").withNewSession
}

---

From the documentation
Discarding the whole session
There is special operation that discards the whole session:

Ok("Bye").withNewSession

解决方案

You didn't specify how do you authenticate users, so I just guess, that you;re using simple sample which is... simple.

It uses user's id to identify the user, and check if signed session cookie wasn't manipulated, therefore if you'll recreate the cookie with proper signature it will be valid still.

You should create some area for session's keys on the server side ie. in DB or in memory cache (Which will be faster than DB). Its key should be randomly generated (and preferebly quite long) for each successful login action, and should also contain data for identifying user, expiration date etc. Next you should put this random sess_key to the Play's session instead email address of logged user or id of his row in DB, and after logout and/or expiration date it should be removed. In such case even if you'll loose the cookie after logout it will be impossible to login properly with non-esixting sess_key.

AFAIR standard memory cache will be purged at every restart of the application, to make sure that all sess_keys from DB will be removed as well you can use Global object and truncate the table in onStart(...) method.

这篇关于玩框架如何会话和Cookie的工作？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！