为什么要在服务器而不是cookie中存储会话？ [英] Why store sessions on the server instead of inside a cookie?

问题描述

我已经使用Flask一段时间了，我真的很喜欢这个框架。我不能理解的一件事是，在几乎所有其他地方，他们谈论在服务器上存储会话和客户端上的会话ID，然后将标识会话。然而，使用烧瓶后，我不觉得需要这样做。将会话作为cookie保存在客户端加密地服务于我的目的，似乎也很安全。唯一的事情是我无法加密会话密钥例如：

I have been using Flask for some time now and I am really enjoying the framework. One thing that I fail to understand is that in almost all other places they talk about storing the session on the server and the session id on the client, which would then identify the session. However after using flask, I dont feel the need to do so. Saving the session as a cookie on the client cryptographically serves my purpose and seems quite secure too. The only thing being I am unable to encrypt the session keys for eg:

session['life'] = 'the great one'

将显示为

life='gfhjfkjdfa some encryption kj'

客户。但是，这么重要，因为它仍然加密。
我相信这里的人比我更了解事情，所以请别人澄清一下:-)

in the cookie saved on the client. But how would that matter as it is still encrypted. I am sure that people here know things much better than I do, so request someone to please clarify :-)

推荐答案

p>即使您的数据已加密，用户仍可将其Cookie回滚到之前的状态（除非您开始编码一次性ID等）

Even if your data is encrypted, the user could still roll back their cookie to a previous state (unless you start encoding one-time IDs etc)

例如cookie表示用户有100个信用，用户花费100个信用，他们得到一个新的cookie说他们有0个信用。

e.g. cookie says the user has 100 credits, user spends 100 credits, they get a new cookie saying they have 0 credits. They could then restore their previous cookie (with 100 credits).

根据您对Cookie的加密方式，用户也可以删除密钥，插入伪造数据等。

Depending how you encrypt the cookie, the user may also be able to delete keys, insert bogus data etc too.

这篇关于为什么要在服务器而不是cookie中存储会话？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！