rails4中如何加密session cookie
How to encrypt the session cookie in rails 4
假设我在我的应用程序中做了这样的事情:
session[user_id] = 1
根据我观看的视频(参考如下):在 rails 4:
默认情况下,会话 cookie 已编码但未加密。含义:由于摘要值,会话 cookie 无法更改。如果精明的用户以某种方式改变了有效负载,那么它将使会话 cookie 变得无用。
关于会话 cookie 已编码但未加密的事实。即使精明的用户无法成功更改 会话 cookie,精明的用户仍然能够读取 内容。
我知道惯例是永远不要在 cookie 中存储任何机密信息:无论该 cookie 是常规 cookie 还是会话 cookie。然而,为了增加安全性:如何加密会话 cookie,使其内容根本无法被该精明的用户读取?
此外:如何将会话 cookie 的默认行为从默认仅编码更改为同时加密?
背景: 我学习了 Lynda.com 课程 "Ruby on Rails 4 Essential Training." 我观看了 "Cookies and Sessions" 视频。
查看relevant Rails Documentation后,本区提供答案:
If you only have secret_token set, your cookies will be signed, but not encrypted. This means a user cannot alter their user_id without knowing your app's secret key, but can easily read their user_id. This was the default for Rails 3 apps.
If you have secret_key_base set, your cookies will be encrypted. This goes a step further than signed cookies in that encrypted cookies cannot be altered or read by users. This is the default starting in Rails 4.
secret_key_base 默认位于 rails 4:config/secrets.yml。所以实际上:在 rails 4 中,默认实际上是加密会话 cookie。
据我所见here:
If you have secret_key_base set, your cookies will be encrypted. This goes a step further than signed cookies in that encrypted cookies cannot be altered or read by users. This is the default starting in Rails 4.
假设我在我的应用程序中做了这样的事情:
session[user_id] = 1
根据我观看的视频(参考如下):在 rails 4:
默认情况下,会话 cookie 已编码但未加密。含义:由于摘要值,会话 cookie 无法更改。如果精明的用户以某种方式改变了有效负载,那么它将使会话 cookie 变得无用。
关于会话 cookie 已编码但未加密的事实。即使精明的用户无法成功更改 会话 cookie,精明的用户仍然能够读取 内容。
我知道惯例是永远不要在 cookie 中存储任何机密信息:无论该 cookie 是常规 cookie 还是会话 cookie。然而,为了增加安全性:如何加密会话 cookie,使其内容根本无法被该精明的用户读取?
此外:如何将会话 cookie 的默认行为从默认仅编码更改为同时加密?
背景: 我学习了 Lynda.com 课程 "Ruby on Rails 4 Essential Training." 我观看了 "Cookies and Sessions" 视频。
查看relevant Rails Documentation后,本区提供答案:
If you only have secret_token set, your cookies will be signed, but not encrypted. This means a user cannot alter their user_id without knowing your app's secret key, but can easily read their user_id. This was the default for Rails 3 apps.
If you have secret_key_base set, your cookies will be encrypted. This goes a step further than signed cookies in that encrypted cookies cannot be altered or read by users. This is the default starting in Rails 4.
secret_key_base 默认位于 rails 4:config/secrets.yml。所以实际上:在 rails 4 中,默认实际上是加密会话 cookie。
据我所见here:
If you have secret_key_base set, your cookies will be encrypted. This goes a step further than signed cookies in that encrypted cookies cannot be altered or read by users. This is the default starting in Rails 4.