cookie_store,session

http://railscasts.com/episodes/84-cookie-based-session-store
http://izumi.plan99.net/blog/index.php/2007/11/25/rails-20-cookie-session-store-and-security/
http://blog.caboo.se/articles/2007/2/21/new-controversial-default-rails-session-storage-cookies
http://stackoverflow.com/questions/192153/what-is-the-best-way-to-read-the-rails-session-secret
http://hi.baidu.com/holin/blog/item/36b9b21127f85e7ccb80c45e.html
http://api.rubyonrails.org/classes/ActionController/SessionManagement/ClassMethods.html#M000299

actionpack-2.1.2/lib/action_controller/session/cookie_store.rb
<br /> # Generate the HMAC keyed message digest. Uses SHA1 by default.<br /> def generate_digest(data)<br /> key = @secret.respond_to?(:call) ? @secret.call(@session) : @secret<br /> OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(@digest), key, data)<br /> end<br /><br /> private<br /> # Marshal a session hash into safe cookie data. Include an integrity hash.<br /> def marshal(session)<br /> data = ActiveSupport::Base64.encode64(Marshal.dump(session)).chop<br /> "#{data}--#{generate_digest(data)}"<br /> end<br /><br /> # Unmarshal cookie data to a hash and verify its integrity.<br /> def unmarshal(cookie)<br /> if cookie<br /> data, digest = cookie.split('--')<br /><br /> # Do two checks to transparently support old double-escaped data.<br /> unless digest == generate_digest(data) || digest == generate_digest(data = CGI.unescape(data))<br /> delete<br /> raise TamperedWithCookie<br /> end<br /><br /> Marshal.load(ActiveSupport::Base64.decode64(data))<br /> end<br /> end<br /><br />

BAh7ByIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%0ASGF
zaHsABjoKQHVzZWR7ADoNbG9naW5faWQw--b410e484d58fa0b31c5e778115c66ea29a220af8

-- 前面是data的部份, 後面是digest的部份, data可以讓user 去decode 沒關係, 但是digest的部份有加上secret 去做encode, 所以可以用來辨識這是不是我們網站自己產生合法的cookie