Cookie VS会话 [英] Cookie VS Session

问题描述

几个月前我开始使用PHP。为了为我的网站创建登录系统，我阅读了关于Cookie和会话及其差异（Cookie存储在用户的浏览器和服务器上的会话）。当时，我喜欢cookies（和谁不喜欢cookie？！），只是说：谁关心？我没有什么好存储在我的服务器，所以，我继续使用cookies我的学士毕业项目。然而，在我的应用程序的大部分，我听说，对于存储用户的ID的特定情况下，会话是更恰当的。所以我开始思考如果陪审团问我为什么要使用cookies而不是会话，我会说什么？我有这个原因（我不需要在内部存储关于用户的信息）。是否足够为原因？或者它更多？

请告诉我使用cookie保存用户ID的优点/缺点。

I started using PHP a couple of months ago. For the sake of creating a login system for my website, I read about cookies and sessions and their differences (cookies are stored in the user's browser and sessions on the server). At that time, I preferred cookies (and who does not like cookies?!) and just said: "who cares? I don't have any good deal with storing it in my server", so, I went ahead and used cookies for my bachelor graduation project. However, after doin' the big part of my app, I heard that for the particular case of storing user's ID, sessions are more appropriate. So I started thinking about what would I say if the jury asks me why have you used cookies instead of sessions? I have just that reason (that I do not need to store internally information about the user). Is that enough as a reason? or it's more than that?
Could you please tell me about advantages/disadvantages of using cookies for keeping User's ID?

感谢您对StackOverflow的支持！

Thanks for you all in StackOverflow!

推荐答案

这个概念是在网页加载时为网站访问者存储持久数据。 Cookies直接在客户端上存储。会话使用Cookie作为排序关键字，以与存储在服务器端的数据相关联。

The concept is storing persistent data across page loads for a web visitor. Cookies store it directly on the client. Sessions use a cookie as a key of sorts, to associate with the data that is stored on the server side.

最好使用会话，因为实际值是隐藏的从客户端，并且您控制何时数据到期并变得无效。如果所有都是基于Cookie，用户（或黑客）可以操纵他们的Cookie数据，然后向您的网站发出请求。

It is preferred to use sessions because the actual values are hidden from the client, and you control when the data expires and becomes invalid. If it was all based on cookies, a user (or hacker) could manipulate their cookie data and then play requests to your site.

编辑：我不认为是使用cookie的任何优势，除了简单。看这个方式...用户有什么理由知道他们的ID＃？通常我会说不，用户没有这个信息的需要。给出的信息应该限制在需要知道的基础上。如果用户将Cookie更改为具有不同的ID，应用程序将如何响应？这是一个安全风险。

I don't think there is any advantage to using cookies, other than simplicity. Look at it this way... Does the user have any reason to know their ID#? Typically I would say no, the user has no need for this information. Giving out information should be limited on a need to know basis. What if the user changes his cookie to have a different ID, how will your application respond? It's a security risk.

在会话开始之前，我基本上有我自己的实现。我在客户端存储了一个唯一的cookie值，并将我的持久性数据与该cookie值一起存储在数据库中。然后根据页面请求匹配这些值，并拥有我的持久数据，而不让客户端控制是什么。

Before sessions were all the rage, I basically had my own implementation. I stored a unique cookie value on the client, and stored my persistent data in the database along with that cookie value. Then on page requests I matched up those values and had my persistent data without letting the client control what that was.

这篇关于Cookie VS会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！