Ruby-on-rails Rails 会议当前的实践
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2588241/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Rails sessions current practices
提问by Lukas
Anyone have any "best practices" tips for Rails and sessions? The default session type for Rails 3 is still CookieStore, right? I used SqlSessionStore for a while and it worked well, but I may move away from that in favor of CookieStore.
有人对 Rails 和会话有任何“最佳实践”提示吗?Rails 3 的默认会话类型仍然是 CookieStore,对吗?我使用了 SqlSessionStore 一段时间,它运行良好,但我可能会放弃使用 CookieStore。
Is it still not a good idea to use CookieStore for sensitive info, even with salted info or is that better stored in the DB?
将 CookieStore 用于敏感信息是否仍然不是一个好主意,即使是加盐信息,还是更好地存储在数据库中?
回答by Volcanic
Use the database for sessions instead of the cookie-based default, which shouldn't be used to store highly confidential information
将数据库用于会话而不是基于 cookie 的默认值,后者不应用于存储高度机密的信息
Create the session table with
创建会话表
rake db:sessions:create
Run the migration
运行迁移
rake db:migrate
Make sure you also tell rails to use ActiveRecord to manage your sessions too.
确保你也告诉 rails 使用 ActiveRecord 来管理你的会话。
Rails 3
导轨 3
config/initializers/session_store.rb:
配置/初始化程序/session_store.rb:
Rails.application.config.session_store :active_record_store
Rails 2
导轨 2
config/environment.rb:
配置/环境.rb:
config.action_controller.session_store = :active_record_store
回答by Lukas
Cookies are encrypted by default in Rails 4
Rails 4 默认对 Cookie 进行加密
In Rails 4, CookieStorecookies are encrypted and signed by default:
在 Rails 4 中,CookieStorecookie 默认是加密和签名的:
If you only have
secret_tokenset, your cookies will be signed, but not encrypted. This means a user cannot alter theiruser_idwithout knowing your app's secret key, but can easily read theiruser_id. This was the default for Rails 3 apps.If you have
secret_key_baseset, your cookies will be encrypted. This goes a step further than signed cookies in that encrypted cookies cannot be altered or read by users. This is the default starting in Rails 4.If you have both
secret_tokenandsecret_key_baseset, your cookies will be encrypted, and signed cookies generated by Rails 3 will be transparently read and encrypted to provide a smooth upgrade path.
如果您只进行了
secret_token设置,您的 cookie 将被签名,但不会被加密。这意味着用户在user_id不知道您的应用程序的密钥的情况下无法更改他们的,但可以轻松读取他们的user_id. 这是 Rails 3 应用程序的默认设置。如果您已
secret_key_base设置,您的 cookie 将被加密。这比签名 cookie 更进一步,因为用户无法更改或读取加密的 cookie。这是 Rails 4 中的默认设置。如果您同时设置了
secret_token和secret_key_base,您的 cookie 将被加密,Rails 3 生成的签名 cookie 将被透明读取和加密,以提供平滑的升级路径。
Active Record Session Store is Deprecated in Rails 4
活动记录会话存储在 Rails 4 中已弃用
This answeris now out-of-date with regard to Rails 4. The Active Record Session Store has been deprecated and removed from Rails, so the following generators will no longer work:
这个答案现在关于 Rails 4 已经过时了。 Active Record Session Store 已被弃用并从 Rails 中删除,因此以下生成器将不再工作:
rake db:sessions:createrails generate session_migration
rake db:sessions:createrails generate session_migration
This was pointed out in this answer. The reason that the Active Record Session Store was deprecated is because the reads/writes to the database don't scale well when you have a large number of users accessing your application, as stated in this blog post:
这是在这个答案中指出的。不推荐使用 Active Record Session Store 的原因是,当您有大量用户访问您的应用程序时,对数据库的读/写不能很好地扩展,如这篇博文所述:
...one major issue with the Active Record session store is that it is not scalable. It puts an unnecessary load on your database. Once your application receives a large amount of traffic, the sessions database table is continuously bombarded with read/write operations.
As of Rails 4, the Active Record session store has be removed from the core framework and is now deprecated.
... Active Record 会话存储的一个主要问题是它不可扩展。它会给您的数据库带来不必要的负载。一旦您的应用程序收到大量流量,会话数据库表就会不断受到读/写操作的轰炸。
从 Rails 4 开始,Active Record 会话存储已从核心框架中删除,现在已弃用。
If you still want to use the Active Record Session Store, it's still available as a gem.
如果您仍想使用 Active Record Session Store,它仍然可以作为 gem 使用。
Current Rails Session Best Practices
当前 Rails 会话最佳实践
For more current best practices for Ruby on Rails sessions, I advise that you check out the lastest versions of the Ruby on Rails Security Guide.
有关 Ruby on Rails 会话的更多当前最佳实践,我建议您查看最新版本的Ruby on Rails 安全指南。
回答by Tilendor
I don't believe anything has changed in how anyone on any platform should handle cookie based sessions. Be skeptical of anything that passes beyond the server's control (cookies, form posts, etc.) Thats a general principle of web development.
我不相信任何平台上的任何人都应该处理基于 cookie 的会话的方式有任何改变。对超出服务器控制范围的任何内容(cookie、表单帖子等)持怀疑态度。这是 Web 开发的一般原则。
As far the encryption, I don't know if anything has changed on that front.
至于加密,我不知道这方面是否有任何变化。
Something to be mindful of with a cookie store is the limit to the amount of data, and the gotcha that this data will be sent on the wire in every request, where as a database store only transfers the id and the data lives on the server.
cookie 存储需要注意的是数据量的限制,以及在每个请求中这些数据将通过网络发送的问题,因为数据库存储只传输 id 并且数据存在于服务器上.
回答by Nate Milbee
FWIW, rails 3.1 suggests running
FWIW,rails 3.1 建议运行
rails generate session_migration
However this generates the exact same migration as
但是,这会生成与完全相同的迁移
rake db:sessions:create
回答by Yarin
The Rails defaults seem pretty good to me- The CookieStore is fast and should cover the majority of use cases. Sure you're limited to 4kb and your data will be visible to the user, but the Rails way is to only use session for things like integer IDs and basic string values- If you're trying to store objects or highly confidential information in session you're probably doing it wrong.
Rails 默认值对我来说似乎很好 - CookieStore 速度很快,应该涵盖大多数用例。当然你被限制在 4kb 并且你的数据对用户是可见的,但是 Rails 的方式是只将 session 用于整数 ID 和基本字符串值之类的东西 - 如果你试图在 session 中存储对象或高度机密的信息你可能做错了。
