Passport 的注销功能是否会删除 cookie?如果不是，它是如何工作的? [英] Does Passport's logout function remove the cookie? If not, how does it work?

问题描述

来自文档:

Passport 在 req 上公开一个 logout() 函数(也称为 logOut())可以从需要终止的任何路由处理程序调用登录会话.调用 logout() 将删除 req.user 属性和清除登录会话(如果有).

Passport exposes a logout() function on req (also aliased as logOut()) that can be called from any route handler which needs to terminate a login session. Invoking logout() will remove the req.user property and clear the login session (if any).

app.get('/logout', function(req, res){   req.logout();  
res.redirect('/'); });

通过阅读本文和我自己的测试，logout 似乎没有从客户端删除 cookie.据我了解，当客户端发出请求时，它会发送它的 cookie，Passport 将其反序列化并转换为 req.user.

From reading this and testing myself, it doesn't seem that logout removes the cookie from the client. From what I understand, when the client makes a request, it sends along it's cookie, which Passport deserializes and transforms into req.user.

假设logout没有移除cookie，Passport使用cookie来判断用户是否登录，那么logout是如何发挥作用的实际注销用户?

Assuming that logout doesn't remove the cookie and that Passport uses the cookie to determine whether or not the user is logged in, how does the logout function actually log the user out?

推荐答案

我在大约四年后遇到了这个问题，幸运的是，我想我现在明白了.

I'm coming across this question about four years later, and fortunately, I think I understand it now.

Passport 的logout 功能不会为您清除会话 ID cookie.然而，这实际上不是问题.我会解释原因.

Passport's logout function does not clear the session ID cookie for you. However, that isn't actually a problem. I'll explain why.

登录后，工作原理如下.当您向服务器发送请求时，会话 ID cookie 将与请求一起发送.然后服务器获取该会话 ID，查找具有活动会话的相应用户，并为您填充 req.user.

When you are logged in, here is how things work. When you send a request to the server, the session ID cookie is sent along with the request. Then the server takes that session ID, looks up the corresponding user with an active session, and populates req.user for you.

话虽如此，想想如果您注销会发生什么，但不要清除该会话 ID cookie.下次发送请求时，cookie 仍会一起发送，因为它没有被清除.但是接下来会发生什么?它将尝试查找具有活动会话的相应用户......但它不会找到任何东西！所以 req.user 最终不会被填充.这就是为什么那个 cookie 是否被删除并不是什么大问题.

With that said, think about what happens if you log out, but don't clear that session ID cookie. Next time a request is sent, the cookie will still be sent along, because it wasn't cleared. But then what happens? It'll try to look up the corresponding user with an active session... but it won't find anything! So req.user won't end up being populated. That's why it isn't a big deal whether or not that cookie gets deleted.

这篇关于Passport 的注销功能是否会删除 cookie?如果不是，它是如何工作的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！