The documentation of ActionDispatch::Cookies gives nearly identical descriptions for both signed cookies and encrypted cookies. It appears that both use secrets.secret_key_base to prevent client-side tampering. http://api.rubyonrails.org/classes/ActionDispatch/Cookies.html
ActionDispatch :: Cookies的文档为签名cookie和加密cookie提供了几乎相同的描述。看来两者都使用secrets.secret_key_base来防止客户端篡改。 http://api.rubyonrails.org/classes/ActionDispatch/Cookies.html
Signed Cookies
Sets a signed cookie, which prevents users from tampering with its value. The cookie is signed by your app's
secrets.secret_key_basevalue. It can be read using the signed methodcookies.signed[:name]设置已签名的cookie,以防止用户篡改其值。 Cookie由您的应用的secrets.secret_key_base值签名。它可以使用签名方法cookies.signed [:name]来读取
cookies.signed[:user_id] = current_user.id
Encrypted cookies
Sets an encrypted cookie value before sending it to the client which prevent users from reading and tampering with its value. The cookie is signed by your app's
secrets.secret_key_basevalue. It can be read using the encrypted methodcookies.encrypted[:name]在将加密的cookie值发送到客户端之前设置它,以防止用户读取和篡改其值。 Cookie由您的应用的secrets.secret_key_base值签名。它可以使用加密的方法读取cookies.encrypted [:name]
cookies.encrypted[:discount] = 45
My question is: What is the difference between the two?
我的问题是:两者有什么区别?
When would you want to use one over the other?
你什么时候想用另一个?
1 个解决方案
#1
29
It's subtle, but the answer is in the documentation you provided. Signed cookies only guard against tampering, while encrypted cookies guard against reading and tampering.
这很微妙,但答案在于您提供的文档。签名的cookie只能防止篡改,而加密的cookie可以防止读取和篡改。
More specifically, signed cookies call ActiveSupport::MessageVerifier to append a digest (generated using secret_key_base) to the cookie. If the value of the cookie is modified, the digest will no longer match, and without knowing the value of secret_key_base, the cookie cannot be signed. The value of the cookie is merely base64 encoded, however, and can be read by anyone.
更具体地说,签名cookie调用ActiveSupport :: MessageVerifier将摘要(使用secret_key_base生成)附加到cookie。如果修改了cookie的值,则摘要将不再匹配,并且在不知道secret_key_base的值的情况下,无法对cookie进行签名。然而,cookie的值仅仅是base64编码,任何人都可以阅读。
Encrypted cookies called ActiveSupport::MessageEncryptor to actually encrypt the value of the cookie before generating the digest. Similar to signed cookies, if the value of cookie is modified the digest will no longer match, but additionally the value of the cookie cannot be decrypted without the secret_key_base.
加密的cookie称为ActiveSupport :: MessageEncryptor,用于在生成摘要之前实际加密cookie的值。与已签名的cookie类似,如果修改了cookie的值,则摘要将不再匹配,但如果没有secret_key_base,则无法解密cookie的值。
As to when you'd use encrypted versus signed cookies, it comes down to the sensitivity of the information you're storing in the cookie. If all you want to protect against is someone modifying the cookie, then sign it - but if you also need to keep the data secret, encrypt it.
至于何时使用加密cookie和签名cookie,它归结为您存储在cookie中的信息的敏感性。如果您想要防范的是有人修改cookie,那么签名 - 但如果您还需要保密数据,请对其进行加密。
#1
29
It's subtle, but the answer is in the documentation you provided. Signed cookies only guard against tampering, while encrypted cookies guard against reading and tampering.
这很微妙,但答案在于您提供的文档。签名的cookie只能防止篡改,而加密的cookie可以防止读取和篡改。
More specifically, signed cookies call ActiveSupport::MessageVerifier to append a digest (generated using secret_key_base) to the cookie. If the value of the cookie is modified, the digest will no longer match, and without knowing the value of secret_key_base, the cookie cannot be signed. The value of the cookie is merely base64 encoded, however, and can be read by anyone.
更具体地说,签名cookie调用ActiveSupport :: MessageVerifier将摘要(使用secret_key_base生成)附加到cookie。如果修改了cookie的值,则摘要将不再匹配,并且在不知道secret_key_base的值的情况下,无法对cookie进行签名。然而,cookie的值仅仅是base64编码,任何人都可以阅读。
Encrypted cookies called ActiveSupport::MessageEncryptor to actually encrypt the value of the cookie before generating the digest. Similar to signed cookies, if the value of cookie is modified the digest will no longer match, but additionally the value of the cookie cannot be decrypted without the secret_key_base.
加密的cookie称为ActiveSupport :: MessageEncryptor,用于在生成摘要之前实际加密cookie的值。与已签名的cookie类似,如果修改了cookie的值,则摘要将不再匹配,但如果没有secret_key_base,则无法解密cookie的值。
As to when you'd use encrypted versus signed cookies, it comes down to the sensitivity of the information you're storing in the cookie. If all you want to protect against is someone modifying the cookie, then sign it - but if you also need to keep the data secret, encrypt it.
至于何时使用加密cookie和签名cookie,它归结为您存储在cookie中的信息的敏感性。如果您想要防范的是有人修改cookie,那么签名 - 但如果您还需要保密数据,请对其进行加密。