问题描述
所有 CI 用户都知道默认情况下会话存储在 cookie 中.
all CI users know that by default sessions are stored in cookies.
但是这个实现的重点是什么?我实在找不到合适的理由.
But what exactly is the point of this implementation? I really can't find a good reason.
好的,在共享服务器中人们可以访问会话文件,但是客户端呢?我也可以更改 cookie 中的数据,作为一种单向"方法,我什至如何在服务器端验证会话 cookie 中的数据?我觉得很奇怪,更何况cookie会遇到大小问题.
OK, in a shared server people might gain access to the session files but what about the client side? I could change the data in the cookie as well and being a "one-way" method how do I even validate the data in session cookie on the server side?I find it very odd, not to mention the cookie could encounter problems of size.
我知道数据库方法,但是如果我在一个完全控制的专用服务器中并且我不想浪费数据库资源在非常单一的页面上查询会话表会不会更灵活/默认提供经典的 PHP 方法是否有用,以便我可以使用 cookie 中的 ID 验证数据?
I'm aware of the database method but what if I'm in a dedicated server with full control and I don't want to waste db resources to query the session table at very single page wouldn't have been more flexible/useful to offer by default the classic PHP method so I can validate the data with the ID in the cookie?
推荐答案
您可以使用 CSRF 保护并加密 cookie 以加强系统对 cookie 操纵的能力.
You can use CSRF protection and encrypt the cookies to strengthen the system against cookie manipulation.
如果您担心安全性,那么您绝对应该将数据库用于会话.除非您有大量用户,否则对数据库的影响可以忽略不计.如果您确实有大量用户,那么请考虑分配工作负载,因为会话查找将是您最不担心的事情.
If you are concerned about security, though, you absolutely should be using the db for sessions. Unless you have tons of users, the hit on the db will be negligible. If you do have tons of users, time to think about distributing the workload as the session lookup will be the least of your worries.
客户端 cookie 更多用于状态.它们可用于登录表单上的记住我"或页面布局或其他内容.它们不应用于保护您的应用程序.
The client cookies are more for state. They can be used for things like "remember me" on login forms or for a page layout or something. They should not be used for securing your application.
如果您不使用 db session,则无法通过 cookie 验证会话,因为应用程序无法存储会话 ID.
You can not verify a session via cookie if you are not using db sessions as there is no where for the application to store the session id.
请参阅 http://ellislab.com/codeigniter/user-guide/library/sessions.html 了解更多详情.
Please see http://ellislab.com/codeigniter/user-guide/libraries/sessions.html for more details.
这篇关于Codeigniter 仅在 cookie 中存储会话数据有什么意义?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!