客户端会话 [英] Client side sessions
问题描述
我希望几个相关网络应用的客户端拥有自己的身份验证状态。这提高了可伸缩性,因为不需要群集节点之间的会话复制。它使得Java Servlets和PHP等不同服务器技术的集成变得更加容易。
I want the clients of several related web apps to hold their own authentication state. This improves scalability, because no session replication between cluster nodes is needed. And it makes integration of different server technologies like Java Servlets and PHP easier.
我的计划如下:
- 设置一个带签名和加密的cookie客户端身份验证后的用户名和会话到期时间。
- 当客户端发送请求时,服务器会解密并验证cookie并根据cookie值授予或拒绝访问权限。
- 会话过期将通过重置cookie来更新。
所有想要使用会话的服务器只需知道cookie机制和解密密钥。另请参阅:客户层中的会话状态
All servers that want to use the session have only to know the cookie mechanism and the decryption key. See also: Session state in the client tier
这种方法可以吗?是否可以将它集成到servlet容器/应用程序服务器中,以便它对应用程序透明?例如,servlet应该能够使用HttpServletRequest#getRemoteUser()。这可能吗?或者我是否需要像Spring Security这样的容器级别以上的东西?是否有任何现有的客户端会话管理库?
Is this approach ok? Would it be possible to integrate it into a servlet container / application Server so that it is transparent to the applications? A servlet should be able to use HttpServletRequest#getRemoteUser() for example. Is this possible? Or would I need something above the container level like Spring Security? Are there any existing libraries for client side session management?
推荐答案
不是一个好主意。完全在客户端存储会话到期和用户名等重要数据是太危险的IMO,加密与否。即使这个概念本身在技术上是安全的(我无法深入回答,我也不是加密专家),只需获取加密密钥,就可以在不损害服务器的情况下促成闯入。
Not a good idea. Storing vital data like session expiry and user name entirely on client side is too dangerous IMO, encrypted or not. Even if the concept is technically safe in itself (I can't answer that in depth, I'm no encryption expert), a break-in could be facilitated without compromising your server, just by acquiring your encryption key.
持有密钥的人可以随意生成会话cookie,冒充任何用户任何的时间长度,经典会话概念旨在防止。
Somebody who gets hold of the key could generate session cookies at will, impersonating any user for any length of time, something the classical session concept is designed to prevent.
针对此问题,有更好的可扩展解决方案。例如,为什么不设置所有相关服务器和服务可以轮询的中央会话验证实例?在网上浏览,我100%确定有现成的解决方案满足您的需求。
There are better and scalable solutions for this problem. Why not, for instance, set up a central session verification instance that all associated servers and services can poll? Look around on the web, I am 100% sure there are ready-made solutions addressing your needs.
这篇关于客户端会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
