Web 身份验证状态 - 会话与 Cookie? [英] Web authentication state - Session vs Cookie?

问题描述

在页面之间进行身份验证和跟踪用户身份验证状态的最佳方法是什么?有人说会话状态，有人说 cookie?

What's the best way to authenticate and track user authentication state from page to page? Some say session state, some say cookies?

我是否可以只使用具有用户 ID 的会话变量，并在进行身份验证后，创建一个包含用户信息的自定义 User 类.然后，在每个页面上，验证会话变量是否仍处于活动状态并从 User 对象访问基本用户数据?

Could I just use a session variable that has the ID of the user and upon authentication, instatiate a custom User class that has the User's information. Then, on every page, verify the session variable is still active and access basic user data from the User object?

有什么想法吗?有什么好的例子吗?

Any thoughts? Any good examples?

推荐答案

没有完美的方法来做到这一点.如果您将其存储在 cookie 中，您会担心 cookie 可能会被盗.如果您将其存储在会话中，您将受到攻击，因为会话可能会被劫持.

There's no perfect way to do it. If you store it in a cookie you'll take flak that cookies can be stolen. If you store it in the session you'll take flak because sessions can be hijacked.

就我个人而言，我倾向于认为会话更可靠一些，因为客户端上存储的唯一内容是会话密钥.实际数据保留在服务器上.如果您愿意，它会在靠近胸部的地方打牌.然而，这只是我的偏好，一个优秀的黑客无论如何都能通过劣质的安全措施.

Personally, I tend to think a session is a little more reliable because the only thing stored on the client is a session key. The actual data remains on the server. It plays the cards a little closer to the chest, if you will. However, that's just my preference, and a good hacker would be able to get past shoddy security regardless.

无论您做什么，都不要尝试自己实现.你会弄错的.使用您的特定平台提供的身份验证系统.您还需要确保您有足够的安全预防措施来保护身份验证令牌.

No matter what you do, don't try to implement this yourself. You'll get it wrong. Use the authentication system provided by your specific platform. You also need to make sure you have adequate security precautions protecting the authentication token.

这篇关于Web 身份验证状态 - 会话与 Cookie?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！