第八章【sessions和浏览器】一节中讲到,如果将sessions存储到数据库中,需要在environment.rb中取消最下面一行的注释:
# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
# (create the session table with 'rake db:sessions:create')
# config.action_controller.session_store = :active_record_store
然后书中提到,如果使用cookie以外的方式,你还需要将application.rb文件中的secret的“#”去掉
# Filters added to this controller apply to all controllers in the application.
# Likewise, all the methods added will be available for all controllers.
class ApplicationController < ActionController::Base
helper :all # include all helpers, all the time
# See ActionController::RequestForgeryProtection for details
# Uncomment the :secret if you're not using the cookie session store
-> protect_from_forgery :secret => 'be3075acb5fd614f9bc2362f1490ea6a'
end
如果这个“#”不去掉的话会什么情况呢?
当你按照书上例子做完add_to_cart的动作映射后,运行浏览器刷新页面,给出下面的代码提示
Showing store/index.html.erb where line #9 raised:
No :secret given to the #protect_from_forgery call. Set that or use a session
No :secret given to the #protect_from_forgery call. Set that or use a session
store capable of
generating its own keys (Cookie Session Store).
Extracted source (around line #9):
6: <% = product.description %>
7: < div class ="price-line" >
8: < span class ="price" > <% = number_to_currency(product.price) %> </ span >
9: <% = button_to " Add to Cart " , action = ' add_to_cart', :id => product %>
10 : </ div >
11 : </ div >
12 : < % end %>
RAILS_ROOT: E:/work/Pingche/InstantRails-2.0-win/rails_apps/depot
6: <% = product.description %>
7: < div class ="price-line" >
8: < span class ="price" > <% = number_to_currency(product.price) %> </ span >
9: <% = button_to " Add to Cart " , action = ' add_to_cart', :id => product %>
10 : </ div >
11 : </ div >
12 : < % end %>
RAILS_ROOT: E:/work/Pingche/InstantRails-2.0-win/rails_apps/depot
提示Set protect_from_forgery或者use a session store capable of generating its own keys (Cookie Session Store),将
protect_from_forgery的secret的“#”去掉即可。
再看书上的话是“如果使用cookie以外的方式,你还需要做一件事”,就是删除secret的“#”。
也就是说,我们在将session存储到数据库中的方式是cookie以外的方式么?然而rails的session方式不正是基于cookie来实现的么?
待解的疑惑!