Rails、CookieStore 与 ActiveRecordStore

发布于 2024-09-14 06:00:00 字数 445 浏览 6 评论 0原文

我目前遇到一个奇怪的问题,我们的用户被注销。我无法明确地重现它。

Rails 应用程序使用默认的 CookieStore。

我最初的假设是,不知何故 cookie 中的会话数据,甚至 cookie 本身都被破坏了。这可能是由于用户清除了浏览器数据,或者是系统内尚未捕获的某些内容。

截至目前,身份验证系统似乎按预期运行(Authlogic),并且我们没有在应用程序的其他组件中广泛遇到该问题。

我正在考虑使用 ActiveRecordStore 来查看问题是否得到解决。我的理解是会话数据将存储在数据库中,如果删除 cookie,用户将不会注销。

使用 CookieStore 与 ActiveRecordStore 是否有许多已知的优点/缺点?

为什么创建 Rails 应用程序时默认使用 CookieStore,而不是 ActiveRecordStore?

I am currently experiencing a strange issue with our users being logged out. I haven't been able to reproduce it explicitly.

The Rails application is using the default CookieStore.

My initial hypothesis is that somehow the session data within the cookie, or even the cookie itself is being destroyed. This may be either from a user clearing browser data, or something within the system that has not been caught.

As of now, the authentication system appears to be functioning as intended (Authlogic), and we are not experiencing the issue wide-spread in other components of the application.

I am considering using ActiveRecordStore to see if the problem is resolved. My understanding is the session data would be stored within the database, and if a cookie was being removed - the user would not get logged out.

Are there many known pros/cons to using CookieStore vs ActiveRecordStore?

Why is CookieStore the default when creating a Rails application, and not ActiveRecordStore?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

梦里的微风 2024-09-21 06:00:00

我可以回答你最后两个问题。

  • 如果您在会话中存储敏感数据,则不应使用 Cookie 存储,因为您希望此类数据位于服务器端而不是客户端。

  • Cookie 存储是默认设置,因为 Rails 强烈提示您不应在会话中存储大量数据,因为 Cookie 存储限制为 4 KB。

I can answer your last two questions.

  • You should not use the cookie store if you're storing sensitive data in the session because you want such data to be on the server-side and not on the client.

  • The cookie store is the default because Rails is giving you a strong hint that you should not be storing lots of data in the session, by virtue of the fact that cookie storage is limited to 4 KB.

愛放△進行李 2024-09-21 06:00:00

我认为 CookieStore 是默认的,因为它很简单。它不需要数据库表。

CookieStore 不如 ActiveRecordStore 安全。使用 CookieStore,拦截的 cookie 将永远允许访问有效会话,即使您创建了一个新会话。使用 ActiveRecordStore,您可以通过从数据库中删除会话来使其失效。

请参阅此博客文章:http://www.bryanrite .com/ruby-on-rails-cookiestore-security-concerns-lifetime-pass/

I think CookieStore is the default because it is simple. It doesn't require a database table.

CookieStore is not as secure as ActiveRecordStore. With CookieStore, intercepted cookies will give access to a valid session forever, even if you create a new one. With ActiveRecordStore, you can invalidate a session by removing it from the database.

See this blog post: http://www.bryanrite.com/ruby-on-rails-cookiestore-security-concerns-lifetime-pass/

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文