数据库还是会话? 存储令牌的位置
[英]database or sessions ? where to store tokens
问题描述
tokens are great tool to prevent csrf attack 
令牌是防止csrf攻击的好工具
for every request made by user , your system must generate a unique token and store it somewhere 对于用户的每个请求,您的系统必须生成一个唯一的令牌并将其存储在某个位置
the next time the client ask to perform some actions , the system verify if the token exist , and if it still valid 下次客户要求执行某些操作时,系统将验证令牌是否存在以及令牌是否仍然有效
if we store tokens in sessions , then sessions will become too large , an this will cost a lot of memory as the CPU load the entire sessions in ram when responding to a request , and with a CPU of 1Gb for example , and 1000 users with 1 sessions of 1Mb each , the CPU will not handle anything , this could be a typical ddos attack ( to request more and more tokens knowing they are stored in sessions) 如果我们在会话中存储令牌,则会话将会变得太大,这将占用大量内存,因为CPU在响应请求时将整个会话加载到ram中,例如CPU为1Gb,1000个用户使用1个会话(每个会话1Mb),CPU将无法处理任何事情,这可能是典型的ddos攻击(要求越来越多的令牌知道它们存储在会话中)
in the other side storing tokens in database have his own weakness , 在另一边,将令牌存储在数据库中有自己的弱点,
which method do you use to store tokens ? 您使用哪种方法存储令牌?
1 个解决方案
解决方案1
2 已采纳 2014-05-28 13:37:55
Use sessions, 1MB per session is pretty high IMO. 使用会话,每个会话1MB是相当高的IMO。 Since PHP's Session handler can be switched to use a different back end, you have the flexibility of storing them on disk / memcached / mysql down the road. 由于可以将PHP的会话处理程序切换为使用其他后端,因此您可以灵活地将它们存储在磁盘/ memcached / mysql的后面。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.