stackoom
  简体   繁体   中英

database or sessions ? where to store tokens

 原文  2014-05-28 13:33:36       php/ token

Question

tokens are great tool to prevent csrf attack

for every request made by user , your system must generate a unique token and store it somewhere

the next time the client ask to perform some actions , the system verify if the token exist , and if it still valid

if we store tokens in sessions , then sessions will become too large , an this will cost a lot of memory as the CPU load the entire sessions in ram when responding to a request , and with a CPU of 1Gb for example , and 1000 users with 1 sessions of 1Mb each , the CPU will not handle anything , this could be a typical ddos attack ( to request more and more tokens knowing they are stored in sessions)

in the other side storing tokens in database have his own weakness ,

which method do you use to store tokens ?

1 answers

solution1
 2 ACCPTED  2014-05-28 13:37:55

Use sessions, 1MB per session is pretty high IMO. Since PHP's Session handler can be switched to use a different back end, you have the flexibility of storing them on disk / memcached / mysql down the road.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question store sessions into a common database Store Twitter Tokens in mysql database Login system store sessions in database Store sessions in same or separate database from app? Where do I store my tokens server side? Where to store login attempts and current login status, cookies or sessions? Where do i store username and userid? sessions or cookie? Oauth tokens storing in mysql database does not work but works fine when using sessions Using refresh tokens between sessions PHP Sessions and Unique User Tokens
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM