Expressjs不会破坏会话 [英] Expressjs doesn't destroy session
问题描述
在服务器上触发事件触发:
app.delete('/ session',function(req,res){
if(req.session){
req .session.destroy(function(){
res.clearCookie('connect.sid',{path:'/'});
res.send('removed session',200);
});
} else {
res.send('no session assigned',500);
}
});
这个奇怪的是我可以多次按下注销按钮,而不会收到HTTP 500错误代码。另外,铬显示我仍然存在一个cookie。
发生了什么问题?
编辑:
我发现这不是一个会话问题,而是一个cookie一。
我添加了res.clearCookie到路由。不幸的是,行为(cookie,会话保持活着)没有改变
EDIT2 :
我现在给了res.clearCookie一些参数=> res.clearCookie('connect.sid',{path:'/'});
现在至少cookie在浏览器中消失了。但会议似乎仍然可用。
或至少我可以打电话给退出路由多少我想要甚至req.session应该是假的
EDIT3:
我现在将所有会话从redis中删除并重新启动所有内容(redis,node,browser)。
比我再次登录并注销。这是迄今为止的工作,但是当我使用F5重新启动页面时,我将获得一个新的会话。为什么?
为了集中所有意见,我已经写了一个答案:
因为快递总是为客户创建一个会话和一个cookie,我们必须采取不同的方法,而不仅仅是检查是否有一个会话。
登录
app.post('/ session',function(req,res){
User.findOne用户名:req.body.username})
.select('salt')//我的mongoose模式不会获取盐
.select('password')//和默认密码
.exec(function(err,user){
if(err || user === null)throw err; //这里可怕的错误处理
// mongoose模式方法,检查是否发送凭据
//等于散列密码(允许回调)
user.hasEqualPassword(req.body.password,function(hasEqualPassword){
if(hasEqualPasswo rd){
//如果密码匹配我们这样做:
req.session.authenticated = true; //标记会话,所有登录检查现在检查验证是否为真(这是安全区域检查中间件所必需的)
req.session.user = user; //这是可选的。我已经做到这一点,因为我想要有用户凭据可用
//另一个好处是在会话中存储用户实例是
//我们可以从redis的速度获得。如果用户注销,我们将不得不在会话中保存用户实例(没有尝试过)
res.send(200); //发送客户端一切都OK OK
} else {
res.send(wrong password,500); //告诉客户密码是错误的(在生产系统上,你想隐藏什么走了)
}
});
});
});
这是登录部分让我们注销:
app.delete('/ session',function(req,res){
//这里是我们的安全检查
//如果你使用一个isAuthenticated-middleware,你可以使这个更短的
如果(req.session.authenticated){
//这会破坏当前会话(真的不必要,因为你得到一个新的
req.session .destroy(function(){
//如果你不想破坏整个会话,因为你反正得到一个新的,你也可以只是更改标志和删除私人信息
// req .session.user.save(callback(err,user))//没有检查这个
// delete req.session.user; //删除凭据
//req.session.authenticated = false; //设置标志
//res.clearCookie('connect.sid',{path:'/'}); //查看上面的注释res.send('removed session',20 0); //告诉客户一切顺利
});
} else {
res.send('cant remove public session',500); //公开会话不包含明智的信息,所以我们离开他们
}
});
希望这有帮助
I have an Backbone View which sends an Ajax call to the server to remove a session.
On the server following event is triggered:
app.delete('/session', function(req, res) {
if (req.session) {
req.session.destroy(function() {
res.clearCookie('connect.sid', { path: '/' });
res.send('removed session', 200);
});
} else {
res.send('no session assigned', 500);
}
});
The weird about this is that I can press the logout button multiple times without getting a HTTP 500 error code. Also chromium shows me that a cookie still exists.
What is going wrong?
Regards
EDIT:
I found out that this isn't directly a session issue but a cookie one. I added res.clearCookie to the route. Unfortunatly the behaviour (cookie, session keep alive) didn't change
EDIT2: I now gave res.clearCookie some parameters => res.clearCookie('connect.sid', { path: '/' }); Now at least the cookie is gone in the browser. But the session seems to be still available. Or at least I can call the logout route how often I want even req.session should be false
EDIT3: I now removed all sessions out of redis and restarted everything (redis, node, browser). Than I have logged in again and logged out. This works so far but when I relaod the page with F5 I get a new session. WHY?
To concentrate all comments together I have written an answer:
Because express always creates a session and a cookie for a client we have to take a different approach than just to check if there is a session.
This parts handles logins
app.post('/session', function(req, res) {
User.findOne({ username: req.body.username })
.select('salt') // my mongoose schema doesn't fetches salt
.select('password') // and password by default
.exec(function(err, user) {
if (err || user === null) throw err; // awful error handling here
// mongoose schema methods which checks if the sent credentials
// are equal to the hashed password (allows callback)
user.hasEqualPassword(req.body.password, function(hasEqualPassword) {
if (hasEqualPassword) {
// if the password matches we do this:
req.session.authenticated = true; // flag the session, all logged-in check now check if authenticated is true (this is required for the secured-area-check-middleware)
req.session.user = user; // this is optionally. I have done this because I want to have the user credentials available
// another benefit of storing the user instance in the session is
// that we can gain from the speed of redis. If the user logs out we would have to save the user instance in the session (didn't tried this)
res.send(200); // sent the client that everything gone ok
} else {
res.send("wrong password", 500); // tells the client that the password was wrong (on production sys you want to hide what gone wronge)
}
});
});
});
That was the login part lets go to the logout:
app.delete('/session', function(req, res) {
// here is our security check
// if you use a isAuthenticated-middleware you could make this shorter
if (req.session.authenticated) {
// this destroys the current session (not really necessary because you get a new one
req.session.destroy(function() {
// if you don't want destroy the whole session, because you anyway get a new one you also could just change the flags and remove the private informations
// req.session.user.save(callback(err, user)) // didn't checked this
//delete req.session.user; // remove credentials
//req.session.authenticated = false; // set flag
//res.clearCookie('connect.sid', { path: '/' }); // see comments above res.send('removed session', 200); // tell the client everything went well
});
} else {
res.send('cant remove public session', 500); // public sessions don't containt sensible information so we leave them
}
});
Hope this helps
这篇关于Expressjs不会破坏会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
