express-session-会话ID和connect.sid之间的区别? [英] express-session - the difference between session id and connect.sid?
问题描述
session id和connect.sid有什么区别?
例如:
console.log('session id =', req.sessionID)
结果:
session id = CCw2pSpdPf8NRKLQpFH-nlFztEzps24Q
并且:
console.log('req.headers =', req.headers)
结果:
req.headers = { 20:51:34
host: 'localhost:3000',
connection: 'keep-alive',
'cache-control': 'max-age=0',
'upgrade-insecure-requests': '1',
'user-agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 ' +
'(KHTML, like Gecko) Chrome/73.0.3683.75 ' +
'Safari/537.36',
dnt: '1',
accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'accept-encoding': 'gzip, deflate, br',
'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8',
cookie: 'connect.sid=s%3ACCw2pSpdPf8NRKLQpFH-nlFztEzps24Q.P04Tx%2FNboFGXvR34HOjpbeh4ogWy58zs%2Bpyde%2FkuUVs',
'if-none-match': 'W/"2f-u+/xADzzu5HL7bySP/YXVKZBlPc"'
}
CCw2pSpdPf8NRKLQpFH-nlFztEzps24Q与connect.sid
如何在中间件中使用它们来验证用户?
How do I use them in a middleware to verify the user?
推荐答案
会话标识特定的客户端.通常的想法是,会话对象和您放入会话对象中的任何数据都将保留在服务器上.当用户向您的服务器发出请求时,他们会提供会话cookie,您的会话基础结构将在该会话cookie中查找并获取适当的会话对象.然后,您的请求处理程序可以使用该会话对象以及您放入其中的数据以实现所需的任何目的.
A session identifies a particular client. The general idea is that the session object and any data you put into the session object persists on the server. When a user makes a request to your server, they present the session cookie which your session infrastructure looks up and fetches the appropriate session object. Your request handlers can then use that session object and the data you put into it for whatever you want.
会话对象中的数据存储在您的服务器本地,因此它是安全的,不会被客户端弄乱.
The data in a session object is stored locally on your server so it is secure and cannot be messed with by the client.
如何在中间件中使用它们来验证用户?
How do I use them in a middleware to verify the user?
对于身份验证,通常会在会话对象中创建某种状态,以表示用户是否已正确身份验证.如果不是,则要求他们提供凭据.如果是这样,则允许请求继续进行.
For authentication, one would typically create some state in the session object that represents whether the user has been properly authenticated or not. If not, you ask them for credentials. If so, you allow the request to proceed.
这是中间件的一些伪代码.
Here's some pseudo code for a middleware.
app.get("/login", (req, res) => {
// handle login page
res.sendFile("login.html");
});
app.post("/login", (req, res) => {
// check auth credentials from the login form
if (credentials good) {
req.session.authenticated = true;
res.redirect("/someOtherPage.html");
} else {
req.session.authenticated = false;
res.redirect("/login.html");
}
});
// middleware to allow access of already authenticated
app.use((req, res, next) => {
// check if session already authenticated
if (req.session.authenticated) {
next();
} else {
res.redirect("/login.html");
}
});
// route that relies on previous middleware to prove authentication
app.get("/somethingElse", (req, res) => {
// do something for this authenticated route
});
会话ID和connect.sid有什么区别?
What the difference between session id and connect.sid?
cookie具有名称和值.默认情况下,快速会话的cookie名称为connect.sid. Cookie的值是一个加密密钥,express-session将其用作会话存储中的索引.
A cookie has a name and a value. By default, the cookie name for express session is connect.sid. The value for the cookie is an encrypted key that express-session uses as an index into the session store.
会话ID是每个会话对象的内部唯一ID.它在会话存储的内部实现中使用.您真的不需要担心这两个是什么.它们在内部用于各种家政用途.
The session id is an internally unique id for each session object. It's used in the internal implementation of the session store. You don't really need to worry about what either of these are. They are used internally for various housekeeping purposes.
因此,connect.sid包含发送到客户端的cookie值,并且客户端将其显示回服务器.它故意被加密所掩盖,难以伪造或猜测,以使客户端无法猜测会话值.会话ID仅在服务器上使用,并且确实需要这些类型的保护.
So connect.sid contains the cookie value that is sent to the client and that the client presents back to the server. It's purposely obscured with encryption and made difficult to forge or guess so that clients can't guess session values. The session id is used on the server only and does need those types of protections.
这篇关于express-session-会话ID和connect.sid之间的区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
