在 Pyramid Framework 中,默认的未加密会话工厂和手动设置 cookie 有什么区别?
我不明白设置未加密会话工厂以设置 cookie 与使用 request.response.set_cookie(..) 和 request.cookies[键].
I do not understand the difference between setting up a Unencrypted Session Factory in order to set cookies, as compared to using request.response.set_cookie(..) and request.cookies[key].
UnencryptedCookieSessionFactory 管理一个 cookie,即签名.这意味着客户端可以读取1 cookie 中的内容,但不能更改 cookie 中的值.
The UnencryptedCookieSessionFactory manages one cookie, that is signed. This means that the client can read1 what is in the cookie, but cannot change the values in the cookie.
如果你直接使用 response.set_cookie() 设置 cookie,客户端不仅可以读取 cookie,还可以更改 cookie 的值,你将无法检测到内容被篡改.
If you set cookies directly using response.set_cookie(), the client can not only read the cookie, they can change the value of the cookie and you won't be able to detect that the contents have been tampered with.
此外,UnencryptedCookieSessionFactory 可让您存储任何 Python 结构,并负责对这些结构进行编码以适应 cookie 的限制;您必须使用 .set_cookie() 手动完成相同的工作.
Moreover, the UnencryptedCookieSessionFactory let's you store any python structure and it'll take care of encoding these to fit within the limitations of a cookie; you'd have to do the same work manually with .set_cookie().
1 您必须对 cookie 进行 base64 解码,然后使用 pickle 模块对内容进行解码.由于 cookie 是加密签名的,因此适用于 pickle 的常见安全问题得到缓解.
1 You'd have to base64-decode the cookie, then use the pickle module to decode the contents. Because the cookie is cryptographically signed, the usual security concerns that apply to pickle are mitigated.