在我开始在线阅读会议之前，会议对我来说很有意义 [英] Sessions made sense to me before I started reading about them online

问题描述

通过阅读有关Session vs Cookies的文章，我得出的主要结论是，Cookie存储在客户端，而会话存储在服务器端.如果会话存储在服务器端，那么服务器如何知道他们的客户端?显然，客户端必须有一些东西.

The main thing I've gathered from reading about Sessions vs Cookies is that Cookies are stored on the client-side and that sessions are stored on the server-side. If sessions are stored on the server-side, then how does the server ever know which client is theirs? Clearly, something must be on the client-side.

每当我使用自卷式用户身份验证时，我的users数据库表中都会有一个session_token列.

Whenever I use my self-rolled user authentication, I have a session_token column in my users database table.

然后，此模块倾向于为我简化会话:

Then, this module tends to facilitate sessions for me:

module SessionsHelper
  def current_user
    User.find_by_session_token(session[:session_token])
  end

  def current_user=(user)
    @current_user = user
    session[:session_token] = user.session_token
  end

  def logout_current_user!
    current_user.reset_session_token!
    session[:session_token] = nil
  end

  def require_current_user!
    redirect_to new_session_url if current_user.nil?
  end

  def require_no_current_user!
    redirect_to user_url(current_user) unless current_user.nil?
  end
end

我相信通过将会话存储在服务器端，它们表示每个用户拥有的session_token.此外，会话哈希必须在客户端.如果没有，它在哪里?注意，我这样存储用户的session_token:session[:session_token] = user.session_token.最后，如果我对会话在客户端是正确的，那么它和session_token如何保持安全?

I believe by sessions being stored on the server-side, they mean the session_token every User has. Further, the session hash must be on the client-side. If not, where is it? Notice, I'm storing the session_token of the user like this: session[:session_token] = user.session_token. Lastly, if I'm right that the session is on the client-side, how are it and the session_token kept secure?

最后，这是否与在其他框架(例如Django，php框架等)上处理会话的方式相同?如果不是，那么主要的区别是什么?

Lastly, is this the same way sessions tend to be handled on other frameworks (like Django, php frameworks, etc.)? If not, what are some key differences?

非常感谢.

推荐答案

Rails安全指南提供了有关会话的一些很好的信息:

The Rails security guide has some good information on sessions:

http://guides.rubyonrails.org/v3.2.16/security. html#sessions

基本上，会话数据都可以存储在cookie中(默认设置)，但是使用摘要进行签名，以防止使用服务器端机密进行篡改(但cookie数据在Rails 3.2中未加密，仅以base64编码，尽管我相信它已在Rails 4中进行了加密.

Basically, the session data can all be stored in the cookie (the default) but it's signed with a digest to protect against tampering using a server-side secret (but the cookie data is not encrypted in Rails 3.2, only base64 encoded, though I believe it is encrypted in Rails 4).

另一种选择是，仅将会话ID存储在cookie中，并将会话数据存储在服务器上的某个位置(例如ActiveRecord::SessionStore).

The alternative is that only the session id is stored in the cookie, and the session data is stored on the server somewhere (e.g. ActiveRecord::SessionStore).

我认为客户端/服务器端会话选项将得到广泛支持(尤其是服务器端).服务器端会话存储的其他选项可能是服务器之间共享的内存缓存，甚至是内存或文件存储，它们对于群集中的每个Web服务器都是独立的，这意味着您的负载均衡器将需要支持粘性会话(以确保用户的请求都被路由到同一台服务器，因为其他服务器对此一无所知.如果我没记错的话，那是在添加集群支持之前，Apache Tomcat在服务器端会话时的样子.

I think the client/server side session options would be widely supported (especially server-side). Other options for server-side session storage could be memcache shared between servers, or even memory or file storage which would be separate for each web server in a cluster which would mean your load balancer would need to support sticky sessions (to make sure a user's requests were all routed to the same server because the other servers wouldn't know about it). If I remember correctly, that's what Apache Tomcat was like in the old days for server-side sessions, before clustering support was added.

这篇关于在我开始在线阅读会议之前，会议对我来说很有意义的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！