签名饼干
Sets a signed cookie,which prevents users from tampering with its value.
The cookie is signed by your app’ssecrets.secret_key_basevalue.
It can be read using the signed methodcookies.signed[:name]
cookies.signed[:user_id] = current_user.id
加密的cookie
Sets an encrypted cookie value before sending it to the client which
prevent users from reading and tampering with its value.
The cookie is signed by your app’ssecrets.secret_key_basevalue.
It can be read using the encrypted methodcookies.encrypted[:name]
cookies.encrypted[:discount] = 45
我的问题是:两者有什么区别?
你什么时候想用另一个?
解决方法
更具体地说,签名cookie调用ActiveSupport :: MessageVerifier将摘要(使用secret_key_base生成)附加到cookie.如果修改了cookie的值,则摘要将不再匹配,并且在不知道secret_key_base的值的情况下,无法对cookie进行签名.然而,cookie的值仅仅是base64编码,任何人都可以阅读.
加密的cookie称为ActiveSupport :: MessageEncryptor,用于在生成摘要之前实际加密cookie的值.与已签名的cookie类似,如果修改了cookie的值,但如果没有secret_key_base,则无法解密cookie的值.
至于何时使用加密cookie和签名cookie,它归结为您存储在cookie中的信息的敏感性.如果您想要防范的是有人修改cookie,那么签名 – 但如果您还需要保密数据,请对其进行加密.