web开发敏捷之道-应用rails进行敏捷web开发【读书笔记1】

   第八章【sessions和浏览器】一节中讲到，如果将sessions存储到数据库中，需要在environment.rb中取消最下面一行的注释：

# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
# (create the session table with 'rake db:sessions:create')
# config.action_controller.session_store = :active_record_store

然后书中提到，如果使用cookie以外的方式，你还需要将application.rb文件中的secret的“#”去掉

# Filters added to this controller apply to all controllers in the application.
# Likewise, all the methods added will be available for all controllers.

class ApplicationController < ActionController::Base
  helper :all # include all helpers, all the time

  # See ActionController::RequestForgeryProtection for details
  # Uncomment the :secret if you're not using the cookie session store
->  protect_from_forgery  :secret => 'be3075acb5fd614f9bc2362f1490ea6a'
end

如果这个“#”不去掉的话会什么情况呢？

当你按照书上例子做完add_to_cart的动作映射后，运行浏览器刷新页面，给出下面的代码提示

Showing store/index.html.erb where line #9 raised:

No :secret given to the #protect_from_forgery call. Set that or use a session 

store capable of  generating its own keys (Cookie Session Store).

Extracted source (around line #9):

6: <% = product.description %>
7: < div class ="price-line" >
8: < span class ="price" > <% = number_to_currency(product.price) %> </ span >
9: <% = button_to " Add to Cart " , action = ' add_to_cart', :id => product %>
10 : </ div >
11 : </ div >
12 : < % end %>
RAILS_ROOT: E:/work/Pingche/InstantRails-2.0-win/rails_apps/depot

提示Set protect_from_forgery或者use a session store capable of generating its own keys (Cookie Session Store)，将

protect_from_forgery的secret的“#”去掉即可。

再看书上的话是“如果使用cookie以外的方式，你还需要做一件事”，就是删除secret的“#”。

也就是说，我们在将session存储到数据库中的方式是cookie以外的方式么？然而rails的session方式不正是基于cookie来实现的么？

待解的疑惑！

转载于:https://www.cnblogs.com/linbirg/archive/2011/02/26/1965510.html