Web认证状态 - 会话Cookie的VS VS？ [英] Web authentication state - Session vs Cookie vs?

问题描述

什么是身份验证，并从页面跟踪用户的认证状态页面的最佳方法是什么？有人说会话状态，有的说饼干？

What's the best way to authenticate and track user authentication state from page to page? Some say session state, some say cookies?

我可以只使用具有对身份验证的用户和ID的会话变量，instatiate具有用户信息的自定义用户类。然后，在每一页上，验证会话变量仍然有效，并从用户对象访问基本的用户数据？

Could I just use a session variable that has the ID of the user and upon authentication, instatiate a custom User class that has the User's information. Then, on every page, verify the session variable is still active and access basic user data from the User object?

有什么想法？任何好的例子？

Any thoughts? Any good examples?

推荐答案

有没有的完美的方式做到这一点。如果你把它存储在cookie中，你会拿高射炮的Cookie可以被窃取。如果您将它存储在会话你会拿高射炮，因为会话可以被劫持。

There's no perfect way to do it. If you store it in a cookie you'll take flak that cookies can be stolen. If you store it in the session you'll take flak because sessions can be hijacked.

我个人倾向于认为会话是一个小更可靠，因为存储在客户端的唯一事情就是一个会话密钥。实际的数据保留在服务器上。它可以播放卡接近胸部一点，如果你愿意。不过，这只是我的preference，和良好的黑客将能够得到过去伪劣安全考虑。

Personally, I tend to think a session is a little more reliable because the only thing stored on the client is a session key. The actual data remains on the server. It plays the cards a little closer to the chest, if you will. However, that's just my preference, and a good hacker would be able to get past shoddy security regardless.

不管你做什么，不要尝试这种自己实现。你会得到它错了。使用由您的特定平台提供的认证系统。您还需要确保你有足够的安全性precautions保护认证令牌。

No matter what you do, don't try to implement this yourself. You'll get it wrong. Use the authentication system provided by your specific platform. You also need to make sure you have adequate security precautions protecting the authentication token.

这篇关于Web认证状态 - 会话Cookie的VS VS？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！