Rails中存储的会话在哪里？ [英] Where is the Session Stored in Rails?

问题描述

在Rails中，我已经实现了用户auth的下面的代码（确认是正确的）。但是，我想确认我对这个奇怪的 session [：session_token] 的想法。这是存储在浏览器中的cookie吗？

  class ApplicationController< ActionController :: Base 
 protect_from_forgery with：：exception 
 
 helper_method：current_user，：signed_in？ 
 
 private 
 def current_user 
 @current_user || = User.find_by_session_token（session [：session_token]）
 end 
 
 def signed_in？ 
 !! current_user 
 end 
 
 def sign_in（user）
 @current_user = user 
 session [：session_token] = user.reset_token！ 
 end 
 
 def sign_out 
 current_user.try（：reset_token！）
 session [：session_token] = nil 
 end 
 $ b b def require_signed_in！ 
 redirect_to new_session_url unless signed_in？ 
 end 
 end 
  

我的理解是，浏览器/客户端向rails发送请求，还发送cookie（ session [：session_token] ），从而允许 current_user 方法来查找用户。我的理解是正确的吗？这对我来说很奇怪，因为当我们在ApplicationController（Rails-side）中声明它时，浏览器/客户端访问会话cookie是多么知道。

解决方案

你就在那儿。虽然，我有一种感觉，你可能会混淆苹果与橙子...

会话： >

在动态网站中，人们常常希望在HTTP请求之间存储用户数据（因为http是无状态的，因此您不能将请求与任何其他请求相关联），但是不希望该数据在网址的客户端（例如.. yourwebsite.com/yourPage?cookie=12345&id=678）上可读和/或可编辑，以此类推...，因为您不希望客户端在不通过您的服务器端代码的情况下处理该数据。

解决此问题的一种方法是存储数据服务器端，给它一个session_token（就像你调用它），并让客户端只知道（并传回每个http请求）该令牌。

b

在Rails中实现会话的最常用的技术涉及使用cookie，这是放置在用户浏览器上的小文本。因为cookie从一个页面持续到下一个页面，所以它们可以存储可以由应用程序用于从数据库检索已登录用户的信息（例如session_token或任何其他您想要的）。

Rails中存储的会话在哪里？

使用上述两个概念，我现在可以告诉你Rails中的默认会话存储是 CookieStore ，大小约为4KB。

简单...

  def sign_in（user）
 @current_user = user 
 session [：session_token] = user.reset_token！ 
 end 
  

...方法将用户置于临时会话中。

接下来的想法是...

  def current_user 
 @current_user || = User.find_by_session_token（session [：session_token]）
 end 
  

$ b b

...方法将从对应于会话令牌的数据库中查找并检索用户，并将其初始化为您指定的变量。

附加信息： / h3>

您还应该注意，Rails的 session 和 code>帮助方法...

他们都生成cookie，但是 session [...] 方法会生成临时 Cookie，这应该在浏览器退出时过期， cookie [...] > Cookie，而不是。

此外，我建议您查看 Ruby on Rails安全指南。您可能会发现它很有用。

希望这有助于您。

In Rails, I have implemented the below code for user auth (confirmed to be correct). However, I wanted to confirm my thinking for this strange session[:session_token]. is this the "cookie" that is stored in the browser?

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception

  helper_method :current_user, :signed_in?

  private
  def current_user
    @current_user ||= User.find_by_session_token(session[:session_token])
  end

  def signed_in?
    !!current_user
  end

  def sign_in(user)
    @current_user = user
    session[:session_token] = user.reset_token!
  end

  def sign_out
    current_user.try(:reset_token!)
    session[:session_token] = nil
  end

  def require_signed_in!
    redirect_to new_session_url unless signed_in?
  end
end 

My understanding so far of how this works is that whenever the browser/client sends a request to rails, the cookie (with the session[:session_token]) is also sent over, thus allowing the current_user method to find the user. Is my understanding correct? This is strange to me because there's a gap of knowledge of how exactly the browser/client gets access to the session cookie when we declare it in ApplicationController (Rails-side).

解决方案

You are pretty much there. Although, I have a feeling you might be confusing apples with oranges...

Sessions:

Very often in dynamic web sites one would want to store user data between HTTP requests (because http is stateless and you can't otherwise associate a request to any other request), but you don't want that data to be readable and/or editable on the client-side inside of the URL (like.. yourwebsite.com/yourPage?cookie=12345&id=678), and so on..., because you don't want the client to play around with that data without passing through your server-side code.

One way to solve this problem is to store that data server-side, give it a "session_token"(as you called it), and let the client only know (and pass back at every http request) that token. This is how the session is implemented.

Cookies:

The most common technique for implementing sessions in Rails involve using cookies, which are small pieces of text placed on the user’s browser. Because cookies persist from one page to the next, they can store information (such as a session_token or whatever else you want) that can be used by the application to retrieve the logged-in user from the database.

Where is the Session Stored in Rails?

Using both of the above concepts I can now tell you that the default session store inside of Rails is CookieStore, which is about 4KB in size.

To put it simply...

def sign_in(user)
  @current_user = user
  session[:session_token] = user.reset_token!
end

...method that you defined places the user into a temporary session.

Then the idea is that the following...

def current_user
  @current_user ||= User.find_by_session_token(session[:session_token])
end

...method would find and retrieve the user from the database corresponding to the session token and initialize it to a variable you specified.

Additional info:

You should also note that there is an important difference between Rails's session and cookies helper methods...

They both generate cookies, however, session[...] method generates temporary cookies, which should expire upon the browser exit, and cookies[...] method creates persistent cookies, which do not.

Additionally, I would suggest having a look at Section 2 of Ruby on Rails Security guide. You might find it useful.

Hope this helps you out.

这篇关于Rails中存储的会话在哪里？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！