玩!框架:使用会话进行身份验证
[英]Play! framework: using session for authentication
问题描述
so I'm using Play! 
所以我正在使用Play! framework for a website project. 网站项目的框架。
I'm using session to determine if the user has logged in: 我正在使用会话来确定用户是否已登录:
session("connected", user.getId().toString());
then, I can identify who's the user when I want to easily. 然后,我可以轻松地确定用户是谁。
I got two questions: 我有两个问题:
- is this the best-practice? 这是最好的做法吗?
- are there vulnerabilities in my simple login system, and how to abolish them? 我的简单登录系统中是否存在漏洞,以及如何废除漏洞?
1 个解决方案
解决方案1
5 已采纳 2012-08-22 14:33:04
It's simple and secure, as session scope's cookies are signed with a secret key. 它简单而安全,因为会话范围的cookie是使用密钥签名的。 If there is no need for storing large amount of data for each session it should be OK. 如果不需要为每个会话存储大量数据,那么应该没问题。
Take a look for existing solutions (ie. zentasks sample). 查看现有解决方案(即zentasks样本)。
Edit : 编辑 :
On the other hand you can consider using Play Authenticate, I've added session handling to sample in my fork (branch 2.0.4_session) in samples/java/play-authenticate-usage , it's just 3 commits, so it's quite easy to merge it to the existing play-authenticate-usage implementation. 另一方面,您可以考虑使用Play Authenticate,我已经在samples / java / play-authenticate-usage中添加了对我的fork(分支2.0.4_session)中的示例的会话处理,它只是3个提交,所以它很容易合并它是现有的play-authenticate-usage实现。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.