第八章【sessions和浏览器】一节中讲到,如果将sessions存储到数据库中,需要在environment.rb中取消最下面一行的注释:
# Use the database for sessions instead of the cookie-based default, # which shouldn't be used to store highly confidential information # (create the session table with 'rake db:sessions:create') # config.action_controller.session_store = :active_record_store
然后书中提到,如果使用cookie以外的方式,你还需要将application.rb文件中的secret的“#”去掉
# Filters added to this controller apply to all controllers in the application. # Likewise, all the methods added will be available for all controllers. class ApplicationController < ActionController::Base helper :all # include all helpers, all the time # See ActionController::RequestForgeryProtection for details # Uncomment the :secret if you're not using the cookie session store -> protect_from_forgery :secret => 'be3075acb5fd614f9bc2362f1490ea6a' end
如果这个“#”不去掉的话会什么情况呢?
当你按照书上例子做完add_to_cart的动作映射后,运行浏览器刷新页面,给出下面的代码提示
Showing store/index.html.erb where line #9 raised:
No :secret given to the #protect_from_forgery call. Set that or use a sessionstore capable of generating its own keys (Cookie Session Store).Extracted source (around line #9):
6: <%= product.description %>
7: <div class="price-line">
8: <span class="price"><%= number_to_currency(product.price) %></span>
9: <%= button_to "Add to Cart", action = 'add_to_cart', :id => product %>
10: </div>
11: </div>
12: <% end %>
RAILS_ROOT: E:/work/Pingche/InstantRails-2.0-win/rails_apps/depot
提示Set protect_from_forgery或者use a session store capable of generating its own keys (Cookie Session Store),将
protect_from_forgery的secret的“#”去掉即可。
再看书上的话是“如果使用cookie以外的方式,你还需要做一件事”,就是删除secret的“#”。
也就是说,我们在将session存储到数据库中的方式是cookie以外的方式么?然而rails的session方式不正是基于cookie来实现的么?
待解的疑惑!