ExpressJS:req.session如何工作?
[英]ExpressJS: how does req.session work?
问题描述
I am writing an ExpressJS backend with User login support. 
我正在编写一个具有用户登录支持的ExpressJS后端。 From multiple examples I see the use of req.session object. 从多个例子中我看到了req.session对象的使用。 It seems this object is used to store and retrieve information across server and client, so the server can set a "logged" flag and later check this flag to see if the user has logged in. 看来这个对象用于跨服务器和客户端存储和检索信息,因此服务器可以设置“已记录”标志,然后检查此标志以查看用户是否已登录。
My question is, how exactly does this work? 我的问题是,这究竟是如何工作的? How does the server store information on the client and retrieve it from every request, is it through cookies? 服务器如何在客户端上存储信息并从每个请求中检索它,是通过cookie吗? Is it possible for a client to manually manipulate the content of this object on the client side to foil security? 客户端是否可以在客户端手动操作此对象的内容来保护安全性? If it is, what is a more secure way to check user login? 如果是,检查用户登录的更安全的方法是什么?
3 个解决方案
解决方案1
4 已采纳 2013-01-28 16:22:03
I found something from the ExpressJS Google group, so a session and cookie is a bit different in ExpressJS. 我从ExpressJS Google小组中找到了一些东西 ,因此ExpressJS中的会话和cookie有点不同。 Basically: 基本上:
Res.cookie adds a cookie to the response;
You can store anything you want in a session.
(Credit goes to Laurie Harper ) (贷方为Laurie Harper )
So it seems ExpressJS is already doing what @Vahid mentioned, storing the values on the server and saves a key as a cookie on the client side. 因此,似乎ExpressJS已经在做@Vahid所提到的,将值存储在服务器上并将密钥保存为客户端的cookie。 From my understanding, req.session uses its own cookie (which contains just a key), independent from req.cookie's custom cookie. 根据我的理解,req.session使用自己的cookie(只包含一个键),独立于req.cookie的自定义cookie。
解决方案2
2 2013-01-25 18:06:31
I don't know your exact implemention, so I don't comment specifically for your case. 我不知道你的确切实施,所以我不会特意评论你的情况。 But generally you can verify what's being sent from browser to server on each request, you can install a firefox extension like "Live HTTP Header" or "Tamper Data" or even a wireshark (if not https) or firebug, firecookie etc. 但通常您可以根据每个请求验证从浏览器发送到服务器的内容,可以安装firefox扩展程序,例如“ Live HTTP Header”或“ Tamper Data”,甚至可以安装Wireshark(如果不是https)或firebug,firecookie等。
Then check to see what's being sent via Cookie, I'm sure that ExpressJS thing after successfully authenticating user generates a session ID, stores it in a DB and stores same value in your browser cookie. 然后检查通过Cookie发送的内容,我确定ExpressJS成功验证用户后会生成会话ID,将其存储在数据库中并在浏览器cookie中存储相同的值。 On every request (even images) your browser sends cookie, server verifies session ID with db and detects your session. 在每个请求(甚至图像)上,您的浏览器都会发送cookie,服务器会使用db验证会话ID并检测您的会话。
I've seen some old unsecure codes which sets user's session with a value like loggedin=1, if it's your case, you have to know it's really easily bypassable. 我已经看到一些旧的不安全代码,它们为用户的会话设置了一个像loggedin = 1的值,如果是你的情况,你必须知道它真的很容易绕过。 You have to generate, save and set session ID per client. 您必须为每个客户端生成,保存和设置会话ID。
解决方案3
1 2015-06-30 06:51:57
Actually session object in req.session is not passed by client. 实际上,客户端未传递req.session中的会话对象。 In your syntax u might have used app.use(session{options}) 用您的语法,您可能使用过app.use(session{options})
This is a middleware. 这是一个中间件。 Now each request that is passed from express server has to be passed through this middleware. 现在,从快速服务器传递的每个请求都必须通过此中间件传递。 This middleware fetches the cookie(just an encoded version of sessionId stored on server) and decodes it to get the sessionId. 该中间件获取cookie(只是存储在服务器上的sessionId的编码版本)并对其进行解码以获取sessionId。 The session corresponding to that sessionId is fetched from server and attached to req object as req.session. 对应于该sessionId的会话从服务器获取并作为req.session附加到req对象。 It gives a feel that we are getting session from client side, but actually it is the work of middleware to attach session object to req object by getting the cookie from the client. 它让我们感觉我们正在从客户端获取会话,但实际上是通过从客户端获取cookie将会话对象附加到req对象的中间件工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.