web开发敏捷之道-应用rails进行敏捷web开发【读书笔记1】

   第八章【sessions和浏览器】一节中讲到,如果将sessions存储到数据库中,需要在environment.rb中取消最下面一行的注释:

# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
# (create the session table with 'rake db:sessions:create')
# config.action_controller.session_store = :active_record_store

然后书中提到,如果使用cookie以外的方式,你还需要将application.rb文件中的secret的“#”去掉

# Filters added to this controller apply to all controllers in the application.
# Likewise, all the methods added will be available for all controllers.

class ApplicationController < ActionController::Base
  helper :all # include all helpers, all the time

  # See ActionController::RequestForgeryProtection for details
  # Uncomment the :secret if you're not using the cookie session store
->  protect_from_forgery  :secret => 'be3075acb5fd614f9bc2362f1490ea6a'
end

如果这个“#”不去掉的话会什么情况呢?

当你按照书上例子做完add_to_cart的动作映射后,运行浏览器刷新页面,给出下面的代码提示

Showing store/index.html.erb where line #9 raised:

No :secret given to the #protect_from_forgery call. Set that or use a session 
store capable of generating its own keys (Cookie Session Store).
Extracted source (around line #9):

6:
<%= product.description %>
7:
<div class="price-line">
8:
<span class="price"><%= number_to_currency(product.price) %></span>
9:
<%= button_to "Add to Cart", action = 'add_to_cart', :id => product %>
10: </div>
11: </div>
12: <% end %>
RAILS_ROOT: E:/work/Pingche/InstantRails-2.0-win/rails_apps/depot

提示Set protect_from_forgery或者use a session store capable of generating its own keys (Cookie Session Store),将

protect_from_forgery的secret的“#”去掉即可。

再看书上的话是“如果使用cookie以外的方式,你还需要做一件事”,就是删除secret的“#”。

也就是说,我们在将session存储到数据库中的方式是cookie以外的方式么?然而rails的session方式不正是基于cookie来实现的么?

待解的疑惑!

posted @ 2011-02-26 00:24  linbirg  阅读(309)  评论(0编辑  收藏  举报