简体繁体 English

如何将数据发送给将在网页浏览之间保留但不会重新发送到服务器的用户？

[英]How can I send data to a user that will persist between web page views, but which won't be resent to the server?

原文 2010-08-14 21:06:27 7 6 javascript/ http

I want to send some data to a user after they log in to a web site, some kind of secret string for encryption. 我想在用户登录网站后向用户发送一些数据，这是一种用于加密的秘密字符串。

I want to allow them to navigate around the web site, and I want to be able to use javascript on their machine to encrypt data before it's sent back to the server. 我想允许他们在网站上浏览，我希望能够在他们的机器上使用javascript来加密数据，然后再将数据发送回服务器。 Note: This will be in addition to using SSL. 注意：这是使用SSL的补充。

I don't want to use cookies for this because they are sent to the server on each request. 我不想为此使用cookie，因为它们会在每次请求时发送到服务器。

So my aim is to have some data that will be sent across the wire only once for the whole session, but that when the user visits multiple pages, javascript will be able to access this secret. 因此，我的目标是在整个会话期间只有一些数据将通过网络发送，但是当用户访问多个页面时，javascript将能够访问此秘密。 To be clear I never want to see the user's decrypted data, nor be able to . 要明确我永远不想看到用户的解密数据，也不能 。

Is this possible, maybe using HTML5 persistence or something? 这可能，可能使用HTML5持久性或其他什么？ I need a cross-browser compatible solution please that will ideally work with IE6 (so that might shoot down any HTML5 magic). 我需要一个跨浏览器兼容的解决方案，理想情况下可以使用IE6（因此可能会击落任何HTML5魔法）。

Thanks 谢谢

6 个解决方案

If you are worried about snooping, use HTTPS. 如果您担心窥探，请使用HTTPS。 It sounds like a pretty fragile encryption mechanism though, why not go more 'traditional'? 这听起来像一个非常脆弱的加密机制，为什么不去更“传统”呢？

I'd doubt you can do this. 我怀疑你能做到这一点。 A session is normally tied to a cookie (ie jsessionid), so to tie it to the "session" (ie you said "some data that will be sent across the wire only once for the whole session"), and have it available to the user, you need to put it in a cookie. 会话通常与cookie（即jsessionid）绑定，因此将其绑定到“会话”（即您说“将在整个会话中仅通过线路发送一些数据”），并将其提供给用户，你需要把它放在一个cookie中。

You could use a RIA plug-in like Flash or Silverlight. 您可以使用像Flash或Silverlight这样的RIA插件。 Both have mechanisms for storing data locally w/o sending it back to the server on each request. 两者都有本地存储数据的机制，无需在每次请求时将数据发送回服务器。 Java might as well. Java也可能。

How about keeping the user on the secure page and sending the encrypted data back with ajax calls? 如何将用户保持在安全页面上并使用ajax调用发回加密数据？

I also remember seeing a php script that would load a given page into an iframe based on some criteria. 我还记得看到一个php脚本，它会根据某些条件将给定页面加载到iframe中。 I think the example I saw was just a demo, where you selected a page from a select form. 我认为我看到的示例只是一个演示，您从选择的表单中选择了一个页面。 The page containing the iframe can be used to persist data. 包含iframe的页面可用于保留数据。

I think i'll take inspiration from the banking world and perform all of the encryption on the server. 我想我将从银行业界获取灵感并在服务器上执行所有加密。 I can think of a way that I could generate a private key from the user's password making it impossible for me to decrypt data without the user being logged in. 我可以想到一种方法，我可以从用户的密码生成私钥，这使我无法在没有用户登录的情况下解密数据。

I don't think there's a robust solution to my initial question, but thanks for the responses. 我不认为我的初步问题有一个强有力的解决方案，但感谢您的回复。

You can use localStorage on HTML5-supporting browsers (IE8, FF3+, Chrome, Safari 4+, Opera 9+). 您可以在支持HTML5的浏览器（IE8，FF3 +，Chrome，Safari 4 +，Opera 9+）上使用localStorage 。 You can fall back to userData for IE6 and IE7. 您可以回退到IE6和IE7的userData 。 That gives you a guaranteed minimum of 64 KB of data on all platforms (minimum userData size). 这样可以在所有平台上保证最少64 KB的数据（最小用户数据大小）。

There's a library that encapsulates the various strategies for storing data locally: PersistJS 有一个库，它封装了本地存储数据的各种策略： PersistJS

I use this to store client-side state that doesn't need to be sent to the server with every request (eg resizable panel dimensions). 我使用它来存储客户端状态，不需要将每个请求发送到服务器（例如可调整大小的面板尺寸）。 I don't think it could offer any additional security though, because any attacker that can decrypt the SSL stream can get at your data, because they can observe all your javascript code. 我不认为它可以提供任何额外的安全性，因为任何可以解密SSL流的攻击者都可以获取您的数据，因为他们可以观察您的所有javascript代码。