存储用户权限的最佳方式?
设计一个相当复杂的网站,在单个页面上运行大量 ajax。我已经达到了一些用户需要具有特定权限才能执行操作而某些用户需要停止操作的地步。我已经在数据库中设置了用户角色,一切正常,但我想知道是否有一种更简单/更安全的方法来存储每个权限。
目前,当用户登录时,将从数据库中获取其特定权限并将其加载到会话数组中。要检查用户是否具有权限,我只需检查该权限是否包含在数组中。这看起来很缓慢,几乎就像我错过了更好的解决方案。
另外,会话显然可以由用户编辑......有没有更安全的方法?
我曾想过为每个检查运行一个查询,但这可能会大大增加简单 ajax 请求的加载时间。
我对任何想法都持开放态度。谢谢。
Designing a fairly complicated site with a lot of ajax running on a single page. I have reached the point where some user's need to have specific permission to do things and some need to be stopped from the action. I have set up user roles in my database and all is working fine, but I wonder if there is an easier/safer method for me to store each permission.
Currently, when a user logs in their specific permissions are grabbed from the db and loaded into a session array. To check if the user has permission, I simply check to see if the permission is contained in the array. This seems sluggish, and almost like I am missing a better solution.
Also, sessions can apparently be edited by the user... is there a safer method?
I have thought running a query for each check, but that could greatly increase the load time for a simple ajax request.
I am open to any and all ideas. Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
首先也是最重要的,用户无法编辑会话变量。用户计算机上保存的唯一内容是会话 ID。然后,服务器使用该 ID 来获取仅存储在服务器上的键/值对。从客户的角度来看,不可能随心所欲地改变价值观。
其次,我不会太担心数据库连接。避免重复自己,但不要太担心第一次连接。
最后,我最喜欢的在不创建角色的情况下执行多个权限的方法是使用二进制数学。有些人喜欢这个,有些人不喜欢,但我发现它很有用。
要使用此方法,请想象我们定义以下值:
要给予人们多个权限,请使用二进制 OR
为了说明其工作原理,我们可以查看这些位:
要检查某人是否拥有权限,请使用二进制 AND
要了解这是如何实现的有效,我们再次查看这些位。
此方法的最后一个好处是,它允许您轻松地将多个权限组合成“元权限”。
如果您愿意,可以使用它,但它是您的武器库中的一个不错的技巧。
First and foremost, the user cannot edit Session variables. The only thing that is saved on the user's machine is a Session ID. That ID is then used by the server to grab key/value pairs that are stored ONLY on the server. From a client's standpoint, it is impossible to change values on a whim.
Second, I would not worry too heavily on a database connection. Avoid repeating yourself, but don't worry too much about the first connection.
Finally, my favorite way to do multiple permissions without creating roles is to use binary math. Some people like this, some people don't, but I find it useful.
To use this method, imaging that we define the following values:
To give people multiple permissions, use binary OR
To illustrate how this works, we can look at the bits:
To check if someone has a permission, use binary AND
To see how this works, we look at the bits again
The final benefit of this method is that it allows you to combine multiple permissions easily into "meta-permissions"
Use it if you want, but it is a nice trick to have in your arsenal.
我觉得还可以!您可以查看一些软件来增强会话测试性能。
每次查询数据库并不像听起来那么糟糕!首先,无论如何,您可能都需要连接到数据库;其次,如果您在用户登录时查询用户权限,那么很可能所有相关行都位于缓冲区中,并且不需要 IO;第三,查询单个权限单个用户比查询用户的所有权限要轻得多。
Seems OK to me! You could look at some software to enhance your session chache peformance.
Querying the DB every time is not as bad as it sounds! Firstly you probably need to connect to the DB anyway, secondly if you queried the users permisions when they signed in then the chances are that all the relevent rows are sitting in the buffer and no IO is required, thirdly a query for a single permision for a single user is going to be a lot lighter than a query for all permisions for a user.
您对模型的解释似乎有点混乱。权限是主体授权和客体授权的产物。您真的为每种主题和客体组合存储这些产品吗?这是一个非常低效的解决方案,而且非常难以管理。
WTF??????!!!!
会话数据只能通过您在代码中定义的方法进行更改 - 如果用户能够以他们喜欢的任何方式修改会话数据的任何部分,那么这是您需要解决的第一个问题 - 直到您这样做为止实际上不可能依赖身份验证/授权方法的任何部分,除非您将身份验证完全移出应用程序代码的域(顺便说一句:这不是解决问题的正确方法)。
当然,搜索一个非常大的数组(不确定实际的断点 - 但在 n=1000 的区域 - 但有很多变量影响它)可能比从数据库获取结果要慢得多。
如果不了解当前系统的工作原理,就很难说出自己做错了什么。是其中之一吗?
Your explanation of the model seems a bit confused. Permission is the product of the subject authorization and the object authorization. Do you really store these products for every combination of subject and object? That's a very inefficient solution and very hard to manage.
WTF?????!!!!
Session data should only ever be changed by the methods you define in your code - if users are able to modify any part of the session data in any way they like then this is the first problem you need to address - until you do, it will be virtually impossible to rely on any part of your authentication/authorization method unless you move authentication completely out of the domain of your application code (BTW: this is not the right way to fix the problem).
Certainly searching a very large array (not sure of the actual breakpoint - but in the region of n=1000 - but there are lots of variables affecting this) can be significantly slower than fetching the results from a database.
Its hard to say what you're doing wrong without understanding how your current system works. Is it one of these?