什么是“签署"?connect/expressjs 中的 cookie? [英] What are "signed" cookies in connect/expressjs?
问题描述
我想弄清楚签名 cookie"究竟是什么.网上没有太多,如果我试试这个:
I am trying to figure out what "signed cookies" actually are. There isn't much on the net, and if I try this:
app.use(express.cookieParser('A secret'));
但仍然......浏览器上的cookies仍然是100%正常的,我真的不知道这里的签名"是什么(我有点希望在客户端看到"一些奇怪的东西,比如使用秘密"作为盐加密的数据?)
But still... Cookies are still 100% normal on the browser, and I don't really know what "signed" is here (I was sort of hoping to "see" some weirdness on the client, something like the data encrypted using "A secret" as salt?)
文档说(https://github.com/expressjs/cookie-parser):
解析 Cookie 标头并填充 req.cookies使用由 cookie 名称键控的对象.可选您可以通过传递来启用签名 cookie 支持一个 secret 字符串,它分配 req.secret 所以它可能会被其他中间件使用.
Parse Cookie header and populate
req.cookieswith an object keyed by the cookie names. Optionally you may enabled signed cookie support by passing asecretstring, which assignsreq.secretso it may be used by other middleware.
有人知道吗?
雇佣兵
推荐答案
cookie 仍然可见,但它有一个签名,因此它可以检测客户端是否修改了 cookie.
The cookie will still be visible, but it has a signature, so it can detect if the client modified the cookie.
它通过创建值(当前 cookie)的 HMAC 和 base64 编码来工作它.当 cookie 被读取时,它会重新计算签名并确保它与附加的签名匹配.
It works by creating a HMAC of the value (current cookie), and base64 encoded it. When the cookie gets read, it recalculates the signature and makes sure that it matches the signature attached to it.
如果不匹配,则会报错.
If it does not match, then it will give an error.
如果你也想隐藏 cookie 的内容,你应该加密它(或者只是将它存储在服务器端会话中).我不确定是否已经有中间件.
If you want to hide the contents of the cookie as well, you should encrypt it instead (or just stores it in the server side session). I'm not sure if there is middleware for that already out there or not.
编辑
并创建您将使用的签名 cookie
And to create a signed cookie you would use
res.cookie('name', 'value', {signed: true})
并使用req的signedCookies对象访问签名cookie:
And to access a signed cookie use the signedCookies object of req:
req.signedCookies['name']
这篇关于什么是“签署"?connect/expressjs 中的 cookie?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
