将会话数据存储在Cookie中 [英] Storing session data in cookies

问题描述

最近，我偶然发现了一些建议使用cookie存储会话数据的文章。
我喜欢这个想法，通过添加一个工作正常的CookieStorage类来扩展我的会话存储（注意，每个用户我使用唯一的散列键来进行数据加密和加密）
然而，还有很多其他

我个人认为，没有理由为什么不这样做，特别是在加密和签名时该值使用不同的键为每个用户。数据泄露的风险与正常会话相同，不是？更何况，如果你使用SSL，那么劫持的风险就会减少。

我认为这种方法的好处是，如果会话数据不大，在服务器上用于打开/读取/写入会话数据的IO操作较少，不管存储是否为文件，数据库，基于内存

/ p>

感谢

解决方案

如果您使用的是纯cookie存储，完全没有服务器端组件，则用户可以控制数据。保持他的唯一的东西是你的加密/签名方法;但是可以被攻击。如果您没有使用特定于用户会话的加密/签名密钥（即您未使用服务器端会话），那么您几乎只能使用静态密钥。有人可以攻击线下，试图暴力强行它。

如果您使用存储在服务器端会话中的更安全的一次性随机秘密，您可以已经在服务器端会话中存储数据！为什么不保持简单和存储一切有？

如果你这样做主要是为了节省I / O操作，服务器：使用更有效的会话存储，如基于memcache的存储。

Lately I have stumbled upon some articles that suggest using a cookie to store session data. I liked the idea and extended my session storage by adding a CookieStorage class which works fine (note that per user I use a unique hash key for sigining and encrypting data) However, there are a lot of other articles that suggest against storing sensitive data in a cookie, even though you encrypt and sign the value.

Personally, I find no reason why not do it especially when encrypting and signing the value with a different key for each user. The risk of the data being compromised is the same as with normal sessions, no? Not to mention that if you use SSL then the risk for hijacking is eleiminated.

What I see as a benefit with such an approach, if the session data are not large, is fewer IO operations on the server for opening/reading/writing session data, whether the storage is file, db, memory based

I would appreciate your feedback on the matter

Thanks

解决方案

If you're using pure cookie storage with no server-side component at all, then the user is in control of the data. The only thing keeping him from it is your encryption/signing method; but that can be attacked. If you're not using encryption/signing keys specific to the user's session (i.e. you're not using a server-side session), then you're pretty much limited to a static secret. Someone could attack that offline, trying to brute force it. Once they did, they could spoof their entire session.

If you are using more secure one-time random secrets stored in a server-side session... you're already storing data in a server-side session! Why not keep it simple and store everything there? It would also reduce the bandwidth needs required to transfer all the cookies back and forth with every single request.

If you're doing this mainly to save I/O operations on the server: use a more efficient session store like a memcache based store.

这篇关于将会话数据存储在Cookie中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！