使用 session 变量(Express/NodeJs)进行用户身份验证
[英]User authentication with session variable (Express/NodeJs)
问题描述
Using session variables to remember login in the backend is a bad idea?
使用 session 变量在后端记住登录是一个坏主意?
Is it good?好吗? What about security?安全呢? Or alternatives?还是替代品?
Backend: Express (NodeJs) Frontend: MaterialUI (React)后端:Express (NodeJs) 前端:MaterialUI (React)
I am looking for a simple way to check access before entering and then remebering logged user.我正在寻找一种简单的方法来在输入之前检查访问权限,然后重新记住登录的用户。
I'm junior.我是小学生。 Many thanks for the advices.非常感谢您的建议。
I can easily do it.我可以轻松做到。 It's already done.已经完成了。 But I am worried about security problems or other.但我担心安全问题或其他问题。
1 个解决方案
解决方案1
0 已采纳 2020-12-27 09:56:37
The issue with session variables is that you are designing a single point of failure and you will be facing scalability issues later on. session 变量的问题在于您正在设计单点故障,并且稍后您将面临可伸缩性问题。 That means if your server goes down, all the user's data stored in a session variable will be lost.这意味着如果您的服务器出现故障,存储在 session 变量中的所有用户数据都将丢失。
Scalability Issues可扩展性问题
Let's say you have two servers, Server A and Server B, with a load balancer that routes requests to your servers.
假设您有两台服务器,服务器 A 和服务器 B,并带有一个将请求路由到您的服务器的负载平衡器。
The first request User A makes hits Server A;
用户 A 发出的第一个请求命中服务器 A;
you create your session variable and store all the related data to that user in Server A. Now, on the second request, assume the request hits Server B, now Server B has no idea that there is such data about this user, whether that user is logged in, has proper authorizations, etc.
您创建 session 变量并将所有相关数据存储到服务器 A 中的该用户。现在,在第二个请求中,假设请求命中服务器 B,现在服务器 B 不知道有关于该用户的此类数据,无论该用户已登录,具有适当的授权等。
Solution解决方案
Solution 1: In case you still want to use session variables, you have to deploy a caching server like memcached or Redis to store the session variables related to your users.
解决方案 1:如果您仍想使用 session 变量,您必须部署一个缓存服务器,如 memcached 或 Redis 来将 Z21D6F40CFB511982E4424E0E250A955Z 变量存储给您的用户。
What happens then in regards of scalability is that your servers will subscribe to this caching server and they will all have access to any data stored about any user by any server.
然后在可扩展性方面发生的事情是,您的服务器将订阅此缓存服务器,并且它们都可以访问任何服务器存储的有关任何用户的任何数据。
In terms of security, you should not be relying on the client at all.
在安全性方面,您根本不应该依赖客户端。
You should be trusting your servers and your code to handle proper authentication and authorizations.
您应该信任您的服务器和代码来处理正确的身份验证和授权。
Solution 2: You can store a JWT token in a cookie.
解决方案 2:您可以将 JWT 令牌存储在 cookie 中。
On each request, you fetch the token from the cookie, verify the token, and fetch any other data about that user.
在每个请求中,您从 cookie 中获取令牌、验证令牌并获取有关该用户的任何其他数据。
At this point, you don't even need Redis because this token will be stored on client side;
此时,您甚至不需要 Redis 因为此令牌将存储在客户端;
whether Server A or B gets the request, they can both verify it without an issue.
无论服务器 A 还是 B 收到请求,它们都可以毫无问题地验证它。
However, you have to be careful on how you issue, sign, verify, and handle tokens.
但是,您必须小心如何发行、签署、验证和处理令牌。
Also, you have to transmit tokens over HTTPS.
此外,您必须通过 HTTPS 传输令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.