Rails应用程序与Devise之间的session_id和remember_user_token的使用的区别 [英] Difference between usage of session_id and remember_user_token by a Rails application with Devise

查看:462
本文介绍了Rails应用程序与Devise之间的session_id和remember_user_token的使用的区别的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我使用Devise-1.5.4与Rails 3.0.20。以下是我所知道的事实:


  1. 浏览器中有一个Cookie用于session_id,这有助于正常的应用程序唯一地跟踪会话。

  2. 如果用户已登录(并假设他选择了remember_me),则在浏览器中有另一个Cookie用于remember_user_token。

  3. 在我的应用程序中,我使用(提供的)方法,如 current_user authenticate_user! 验证用户。

  4. 上述方法调用 authenticate! ,它自己调用 serialize_from_cookie ,使用 remember_token


    5. 我对session_id的使用有点困惑。


    1. 什么时候使用,如何使用?

    2. 如果用户已登录,对于我的rails应用程序(或devise)唯一标识用户,是否会使用session_id?

    3. 发生时用户没有选择remember_me(并且没有 remember_token )?如何设计验证current_user?


    解决方案

    仅当前浏览器会话有效,即如果浏览器退出并重新打开(除非您执行恢复会话,在这种情况下浏览器恢复上一个会话的Cookie),则不可用。



    请记住Cookie以将登录期延长到当前会话之后。



    Devise使用warden,其工作方式为:



    1)devise使用warden注册几个策略 - viz:基于会话密钥的auth,来自params的auth,来自记住令牌的auth等。

    2)当请求进入warden run每个策略

    3)如果任何一个策略成功认证请求,warden设置用户(稍后通过current_user帮助方法获取),并停止运行后续策略

    4)如果没有策略成功,则声明没有用户当前登录(和current_user将返回nil)



    因此,在您的情况下,如果设置session_id (即键 warden.user.user.key 被设置为有效的用户ID),基于会话的认证策略成功,并且用户被认为登录。如果该会话不可用然后warden移动到下一个策略,然后到达auth from remember_token策略。此策略检查记住Cookie的存在。如果存在,从该cookie获取令牌,验证其是否仍然有效且未过期。如果是,那么它设置用户并且用户被认为登录。
    如果令牌再次过期,则认为用户未登录。



    如果当登录用户没有选择remember_me,那么记住的记住cookie不设置记忆标记。在这种情况下,如果用户关闭其浏览器并再次打开(无需恢复上一个会话),则用户不再登录到您的系统。



    阅读Warden文档和warden代码将非常有助于了解这个整个流程。您可以在调试代码中插入调试打印/日志行,然后运行应用程序以了解所有这些是如何工作的。


    I am using Devise-1.5.4 with Rails 3.0.20. Here are the facts that I am aware of:

    1. There is a Cookie for session_id with the browser, which helps a normal application uniquely track a session. There may or may not be a user signed in.
    2. If a user is signed in (and assuming he selected remember_me), there is another Cookie for remember_user_token with the browser.
    3. In my application, I use (devise provided) methods like current_user, authenticate_user! to validate a user.
    4. The above methods call authenticate!, which itself calls serialize_from_cookie, that uses remember_token to authenticate the user.

    I am a bit confused about the usage of session_id.

    1. When is that used, and how?
    2. If a user is signed in, for my rails application (or devise) to uniquely identify the user, will it ever use session_id?
    3. What happens when user doesn't selects remember_me (and there is no remember_token)? How does devise validate the current_user?

    解决方案

    The session cookie, as the name suggests, is valid for the current browser session only, i.e. it is not available if the browser is quit and reopened (unless you do something like restore session in which case browser restores the cookies from the previous session).

    Remember cookie for extending the login period beyond the current session.

    Devise uses warden and the way it works is :

    1) Devise registers several strategies with warden - viz : Session key based auth, auth from params, auth from remember token etc.
    2) When the request comes in warden runs each of those strategies
    3) If any one strategy succeeds in authenticating the request warden sets the "user" (which you get via current_user helper method later) and stops running subsequent strategies
    4) If none of the strategies succeed it is declared that no user is currently logged in (and current_user would return nil)

    So in your case, if the session_id is set (i.e. the key warden.user.user.key is set to a valid user id) the session based authentication strategy succeeds and the user is considered logged in. If that session is not available then warden moves on to next strategy and subsequently arrives at the "auth from remember_token" strategy. This strategy checks for the existence of a remember cookie. If presents, gets the token from that cookie, verifies if it is still valid and not expired. If so then it sets the "user" and user is considered logged in. If the token has expired again the user is considered as not logged in.

    If while logging in user does not select remember_me then the remember token is not set in the remember cookie. In such a case if the user closes his browser and opens it again (without restoring the previous session) then user is no longer logged into your system.

    Reading through Warden documentation and warden code would be very helpful to understand this whole flow. You can put in debug print/log lines in the warden code and run your app to understand how all of this is working.

    这篇关于Rails应用程序与Devise之间的session_id和remember_user_token的使用的区别的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
跨浏览器开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆