web开发敏捷之道-应用rails进行敏捷web开发【读书笔记1】

   第八章【sessions和浏览器】一节中讲到，如果将sessions存储到数据库中，需要在environment.rb中取消最下面一行的注释：

# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
# (create the session table with 'rake db:sessions:create')
# config.action_controller.session_store = :active_record_store

然后书中提到，如果使用cookie以外的方式，你还需要将application.rb文件中的secret的“#”去掉

# Filters added to this controller apply to all controllers in the application.
# Likewise, all the methods added will be available for all controllers.

class ApplicationController < ActionController::Base
  helper :all # include all helpers, all the time

  # See ActionController::RequestForgeryProtection for details
  # Uncomment the :secret if you're not using the cookie session store
->  protect_from_forgery  :secret => 'be3075acb5fd614f9bc2362f1490ea6a'
end

如果这个“#”不去掉的话会什么情况呢？

当你按照书上例子做完add_to_cart的动作映射后，运行浏览器刷新页面，给出下面的代码提示

Showing store/index.html.erb where line #9 raised:

No :secret given to the #protect_from_forgery call.  Set that or use a session 
store capable of generating its own keys (Cookie Session Store).
Extracted source (around line #9):

6:     <%= product.description %>
7:     <div class="price-line">
8:         <span class="price"><%= number_to_currency(product.price) %></span>
9:         <%= button_to "Add to Cart", action = 'add_to_cart', :id => product %>
10:     </div>
11: </div>
12: <% end %>
RAILS_ROOT: E:/work/Pingche/InstantRails-2.0-win/rails_apps/depot

提示Set protect_from_forgery或者use a session store capable of generating its own keys (Cookie Session Store)，将

protect_from_forgery的secret的“#”去掉即可。

再看书上的话是“如果使用cookie以外的方式，你还需要做一件事”，就是删除secret的“#”。

也就是说，我们在将session存储到数据库中的方式是cookie以外的方式么？然而rails的session方式不正是基于cookie来实现的么？

待解的疑惑！