播放框架会话和cookie如何工作?
[英]Play framework how do sessions and cookies work?
问题描述
How does play validate a cookie? 
游戏如何验证cookie?
- I noticed that after I restarted the server I was still logged in even though I don't presist any session data in the database. 我注意到,在我重新启动服务器后,我仍然登录,即使我没有在数据库中预先存在任何会话数据。
- I also noticed that I could set the date on the server to be larger that the exipry date of the cookie and still I was logged in. 我还注意到我可以将服务器上的日期设置为大于cookie的exipry日期,但我仍然登录了。
- I logged out (saved the cookie to a text file) and the browser lost the cookie. 我注销了(将cookie保存到文本文件中)并且浏览器丢失了cookie。 Then I recreated the cookie from the text file and I was logged in again. 然后我从文本文件中重新创建了cookie,然后我再次登录。
The cookie looks like this: cookie看起来像这样:
PLAY_SESSION=e6443c88da7xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-userid%3A1 PLAY_SESSION = e6443c88da7xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-的userid%3A1
// My logout code
def logout() = Action {
Ok("").withNewSession
}
From the documentation 从文档中
Discarding the whole session 丢弃整个会话
There is special operation that discards the whole session: 有特殊操作丢弃整个会话:
Ok("Bye").withNewSession
2 个解决方案
解决方案1
10 2013-01-31 15:02:10
You didn't specify how do you authenticate users, so I just guess, that you;re using simple sample which is... simple. 您没有指定如何对用户进行身份验证,所以我只是猜测,您正在使用简单的简单示例。
It uses user's id to identify the user, and check if signed session cookie wasn't manipulated, therefore if you'll recreate the cookie with proper signature it will be valid still. 它使用用户的id来识别用户,并检查是否未操作已签名的会话cookie,因此如果您将使用适当的签名重新创建cookie,它仍然有效。
You should create some area for session's keys on the server side ie. 您应该在服务器端为会话密钥创建一些区域,即。 in DB or in memory cache (Which will be faster than DB). 在DB或内存缓存中(这将比DB快)。 Its key should be randomly generated (and preferebly quite long) for each successful login action, and should also contain data for identifying user, expiration date etc. Next you should put this random sess_key to the Play's session instead email address of logged user or id of his row in DB, and after logout and/or expiration date it should be removed. 对于每个成功的登录操作,其密钥应该是随机生成的(并且优选地相当长),并且还应该包含用于标识用户,到期日期等的数据。接下来,您应该将此随机sess_key放入Play的会话而不是已登录用户或id的电子邮件地址他在DB中的行,并且在注销和/或到期日期之后应该将其删除。 In such case even if you'll loose the cookie after logout it will be impossible to login properly with non-esixting sess_key . 在这种情况下,即使您在注销后丢失cookie,也无法使用非esixting sess_key正确登录。
AFAIR standard memory cache will be purged at every restart of the application, to make sure that all sess_keys from DB will be removed as well you can use Global object and truncate the table in onStart(...) method. 每次重新启动应用程序时都会清除AFAIR标准内存缓存,以确保删除DB中的所有sess_keys ,并且可以使用Global对象并在onStart(...)方法中截断该表。
解决方案2
5 2013-01-31 14:30:32
I found the answer reading the documentation more carefully and combining different parts. 我找到了更仔细阅读文档并结合不同部分的答案。
There is no technical timeout for the Session.
It's important to understand that Session and Flash data are not stored by the server but are added to each subsequent HTTP request, using the cookie mechanism.
So that was what i feared that if the cookie get lost anyone can log in to the server for all future. 所以我担心如果cookie丢失,任何人都可以登录服务器以备将来使用。
What I have to do to secure this is to add a self-made timestamp authorization (save a timestamp in the cookie and validate sever side) 为确保这一点,我需要做的是添加一个自制的时间戳授权(在cookie中保存时间戳并验证服务器端)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.