Cookie与会话 [英] Cookies vs. sessions

问题描述

几个月前，我开始使用PHP.为了为我的网站创建一个登录系统，我阅读了有关cookie和会话及其区别(cookie存储在用户的浏览器中以及服务器上的会话中)的信息.当时，我更喜欢cookie(谁不喜欢cookie ?！)，只是说:谁在乎?我在将它存储在服务器中没有任何好处"，所以，我继续使用cookie我的学士毕业项目.但是，在完成了我的应用程序的大部分工作之后，我听说对于存储用户ID的特定情况，会话更为合适.因此，我开始考虑如果陪审团问我为什么要使用Cookie而不是会议?我有这个理由(我不需要在内部存储有关用户的信息).足够作为理由吗?还是不止于此?
能否请您介绍使用cookie保留用户ID的优缺点?

I started using PHP a couple of months ago. For the sake of creating a login system for my website, I read about cookies and sessions and their differences (cookies are stored in the user's browser and sessions on the server). At that time, I preferred cookies (and who does not like cookies?!) and just said: "who cares? I don't have any good deal with storing it in my server", so, I went ahead and used cookies for my bachelor graduation project. However, after doin' the big part of my app, I heard that for the particular case of storing user's ID, sessions are more appropriate. So I started thinking about what would I say if the jury asks me why have you used cookies instead of sessions? I have just that reason (that I do not need to store internally information about the user). Is that enough as a reason? or it's more than that?
Could you please tell me about advantages/disadvantages of using cookies for keeping User's ID?

谢谢大家在StackOverflow！

Thanks for you all in StackOverflow!

推荐答案

该概念是为Web访问者存储跨页面加载的持久性数据. Cookies将其直接存储在客户端上.会话使用cookie作为排序键，以与存储在服务器端的数据相关联.

The concept is storing persistent data across page loads for a web visitor. Cookies store it directly on the client. Sessions use a cookie as a key of sorts, to associate with the data that is stored on the server side.

首选使用会话，因为实际值对客户端是隐藏的，并且您可以控制数据何时到期并变为无效.如果全部基于Cookie，则用户(或黑客)可以操纵其Cookie数据，然后向您的网站播放请求.

It is preferred to use sessions because the actual values are hidden from the client, and you control when the data expires and becomes invalid. If it was all based on cookies, a user (or hacker) could manipulate their cookie data and then play requests to your site.

我认为使用cookie除了简单之外没有任何优势.这样看吧...用户是否有任何理由知道其ID#?通常，我会说不，用户不需要此信息.提供信息应基于需要的了解而受到限制.如果用户将其Cookie更改为具有不同的ID怎么办，您的应用程序将如何响应?这是安全隐患.

I don't think there is any advantage to using cookies, other than simplicity. Look at it this way... Does the user have any reason to know their ID#? Typically I would say no, the user has no need for this information. Giving out information should be limited on a need to know basis. What if the user changes his cookie to have a different ID, how will your application respond? It's a security risk.

在所有会议风靡一时之前，我基本上有自己的实现.我在客户端上存储了一个唯一的cookie值，并将我的持久数据与该cookie值一起存储在数据库中.然后在页面请求中，我匹配了这些值并拥有了我的持久数据，而没有让客户端控制那是什么.

Before sessions were all the rage, I basically had my own implementation. I stored a unique cookie value on the client, and stored my persistent data in the database along with that cookie value. Then on page requests I matched up those values and had my persistent data without letting the client control what that was.

这篇关于Cookie与会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！