![](/img/trans.png)
[英]Browser Back Button doesn't destroy the session in PassportJS + ExpressJS. How to kill/terminate the session entirely?
[英]Expressjs doesn't destroy session
我有一個Backbone View,它向服務器發送Ajax調用以刪除會話。
在服務器上跟隨事件被觸發:
app.delete('/session', function(req, res) {
if (req.session) {
req.session.destroy(function() {
res.clearCookie('connect.sid', { path: '/' });
res.send('removed session', 200);
});
} else {
res.send('no session assigned', 500);
}
});
奇怪的是,我可以多次按下注銷按鈕而不會收到HTTP 500錯誤代碼。 鉻也告訴我餅干仍然存在。
出了什么問題?
問候
編輯 :
我發現這不是一個會話問題,而是一個cookie問題。 我在路線上添加了res.clearCookie。 不幸的是,行為(cookie,會話保持活躍)沒有改變
EDIT2 :我現在給res.clearCookie一些參數=> res.clearCookie('connect.sid',{path:'/'}); 現在至少cookie已經在瀏覽器中消失了。 但會議似乎仍然可用。 或者至少我可以調用注銷路徑我甚至需要req.session應該是假的
編輯3:我現在從redis中刪除了所有會話並重新啟動了所有內容(redis,node,browser)。 比我再次登錄並退出。 這工作到目前為止,但當我用F5重新登錄頁面時,我得到一個新的會話。 為什么?
為了集中所有評論,我寫了一個答案:
因為express總是為客戶創建會話和cookie,我們必須采取不同的方法,而不僅僅是檢查是否有會話。
這部分處理登錄
app.post('/session', function(req, res) {
User.findOne({ username: req.body.username })
.select('salt') // my mongoose schema doesn't fetches salt
.select('password') // and password by default
.exec(function(err, user) {
if (err || user === null) throw err; // awful error handling here
// mongoose schema methods which checks if the sent credentials
// are equal to the hashed password (allows callback)
user.hasEqualPassword(req.body.password, function(hasEqualPassword) {
if (hasEqualPassword) {
// if the password matches we do this:
req.session.authenticated = true; // flag the session, all logged-in check now check if authenticated is true (this is required for the secured-area-check-middleware)
req.session.user = user; // this is optionally. I have done this because I want to have the user credentials available
// another benefit of storing the user instance in the session is
// that we can gain from the speed of redis. If the user logs out we would have to save the user instance in the session (didn't tried this)
res.send(200); // sent the client that everything gone ok
} else {
res.send("wrong password", 500); // tells the client that the password was wrong (on production sys you want to hide what gone wronge)
}
});
});
});
那是登錄部分讓我們去注銷:
app.delete('/session', function(req, res) {
// here is our security check
// if you use a isAuthenticated-middleware you could make this shorter
if (req.session.authenticated) {
// this destroys the current session (not really necessary because you get a new one
req.session.destroy(function() {
// if you don't want destroy the whole session, because you anyway get a new one you also could just change the flags and remove the private informations
// req.session.user.save(callback(err, user)) // didn't checked this
//delete req.session.user; // remove credentials
//req.session.authenticated = false; // set flag
//res.clearCookie('connect.sid', { path: '/' }); // see comments above res.send('removed session', 200); // tell the client everything went well
});
} else {
res.send('cant remove public session', 500); // public sessions don't containt sensible information so we leave them
}
});
希望這可以幫助
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.