Rails中签名和加密的cookie有什么区别？ [英] What is the difference between signed and encrypted cookies in Rails?

问题描述

ActionDispatch :: Cookies 的文档对已签名的Cookie和加密的Cookie进行了几乎相同的描述。似乎两者都使用 secrets.secret_key_base 来防止客户端篡改。 http://api.rubyonrails.org/classes/ActionDispatch/Cookies.html

The documentation of ActionDispatch::Cookies gives nearly identical descriptions for both signed cookies and encrypted cookies. It appears that both use secrets.secret_key_base to prevent client-side tampering. http://api.rubyonrails.org/classes/ActionDispatch/Cookies.html

设置签名cookie，以防止用户篡改它的价值。
Cookie由您应用的 secrets.secret_key_base 值签名。
可以使用签名方法 cookies.signed [：name]

$ b来读取$ b

cookies.signed[:user_id] = current_user.id

加密的cookie

Encrypted cookies

在将加密的cookie值发送给客户端之前设置该值，
会阻止用户读取和篡改其价值。
Cookie由您应用的 secrets.secret_key_base 值签名。
可以使用加密方法 cookies.encrypted [：name]

$ b来读取$ b

cookies.encrypted[:discount] = 45

< hr>

我的问题是：两者之间有什么区别？

---

My question is: What is the difference between the two?

您何时想在另一个上使用一个？

When would you want to use one over the other?

推荐答案

这很微妙，但是答案在您提供的文档中。签名的cookie只能防止篡改，而加密的cookie可以防止读取和篡改。

It's subtle, but the answer is in the documentation you provided. Signed cookies only guard against tampering, while encrypted cookies guard against reading and tampering.

更具体地说，签名的cookie调用 ActiveSupport :: MessageVerifier 将摘要（使用 secret_key_base 生成）附加到Cookie。如果cookie的值被修改，则摘要将不再匹配，并且在不知道 secret_key_base 的值的情况下，无法对cookie进行签名。 Cookie的值仅是base64编码的，并且任何人都可以读取。

More specifically, signed cookies call ActiveSupport::MessageVerifier to append a digest (generated using secret_key_base) to the cookie. If the value of the cookie is modified, the digest will no longer match, and without knowing the value of secret_key_base, the cookie cannot be signed. The value of the cookie is merely base64 encoded, however, and can be read by anyone.

名为 ActiveSupport :: MessageEncryptor 在生成摘要之前实际加密cookie的值。与签名的Cookie相似，如果修改了Cookie的值，摘要将不再匹配，但是如果没有 secret_key_base ，则无法解密cookie的值。

Encrypted cookies called ActiveSupport::MessageEncryptor to actually encrypt the value of the cookie before generating the digest. Similar to signed cookies, if the value of cookie is modified the digest will no longer match, but additionally the value of the cookie cannot be decrypted without the secret_key_base.

关于何时使用加密的Cookie和签名的Cookie，这取决于您存储在Cookie中的信息的敏感性。如果您只想防止有人修改Cookie，则对其进行签名-但是如果您还需要保密数据，请对其加密。

As to when you'd use encrypted versus signed cookies, it comes down to the sensitivity of the information you're storing in the cookie. If all you want to protect against is someone modifying the cookie, then sign it - but if you also need to keep the data secret, encrypt it.

这篇关于Rails中签名和加密的cookie有什么区别？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！