是否可以在Sails.js会话中存储完整的用户信息? [英] Safe to store complete user info in session with Sails.js?
问题描述
我正在构建一个包含用户登录名的Sails.js应用程序.按照文档说明,当用户登录时,会话将在会话中相应地记录其ID:
I'm building a Sails.js app that includes a user login. As the documentation instructs, when a user signs in, the session records her id in the session accordingly:
req.session.userId = createdUser.id;
在大多数示例中,每个路由都会对该ID(如果存在)执行查找,并将找到的经过身份验证的用户发送到视图.这使我感到非常低效.每个视图都需要知道是否有登录用户才能在左上角显示其名称.因此,如果我理解正确的话,即使我通过创建对每条路线执行此查找的策略来减少代码量,每个视图都包含一次访问数据库以查找用户的行程.
In most of the examples, each route performs a lookup on this ID, if it's present, and sends the authenticated user to the view if found. This strikes me as very inefficient. EVERY view needs to know if there's a signed-in user in order to display her name in the upper left corner. So, if I understand right, every view includes a trip to the database to look up the user, even if I reduce the amount of code by creating a policy that performs this lookup for every route.
我想做的是在会话中记录用户的信息,这样,一旦用户通过身份验证,该信息便会自动显示在每个视图中:
What I would rather do is record the user's information in the session so that, once she is authenticated, that information is automatically present to every view:
req.session.userId = createdUser.id;
createdUser.loggedIn = true;
req.session.user = createdUser;
// the createdUser object does NOT contain the encrypted password or other sensitive info
然后,我可以从layout父模板(和任何子模板)中像签入用户一样签入模板. (我正在使用服务器端视图.)
This then allows me to just check in the template for a signed-in user like so from the layout parent template (and any child template). (I'm using server-side views.)
{% if (session.user && session.user.loggedIn) %}
<li><a href="/profile/{{ session.user.id }}">Hi there, {{ session.user.username }}</a></li>
{% else %}
<li><a href="/signin">Sign In (if you want)</a></li>
{% endif %}
我的问题是,这是否构成任何形式的安全风险.似乎比在每个视图中查找用户都更有效率,但是也许有一个原因似乎文档似乎建议这样做?
My question is whether this poses a security risk of any kind. It seems MUCH more efficient than looking up the User in every view, but perhaps there's a reason that documentation seems to advise this?
推荐答案
在大多数示例中,如果满足以下条件,则每个路由都会对此ID执行查找 它存在,并将找到的经过身份验证的用户发送到视图
In most of the examples, each route performs a lookup on this ID, if it's present, and sends the authenticated user to the view if found
仅供参考,理想情况下,这应该由政策来处理.
FYI, ideally this should be handled by a policy.
这让我觉得效率很低.每个视图都需要知道 有一个登录用户,以便在上方显示她的名字 左上角.因此,如果我理解正确,那么每个视图都包含一次旅行 数据库来查找用户,即使我减少了代码量 通过创建对每个路由执行此查找的策略.
This strikes me as very inefficient. EVERY view needs to know if there's a signed-in user in order to display her name in the upper left corner. So, if I understand right, every view includes a trip to the database to look up the user, even if I reduce the amount of code by creating a policy that performs this lookup for every route.
您要么进行额外的数据库往返操作,要么就夸大了会话.两者都有其优点和缺点.例如.当创建不必扩展的后端应用程序时,我不在乎这种额外的数据库查找.但是,当我有成千上万的用户时,我应该关心.在构建应用程序时,必须考虑这一点.需要扩展的应用程序喜欢使用例如redis作为用于优化的会话存储.
Either you make extra roundtrips to the database or you bloat your sessions. Both have their pros and cons. E.g. when creating a backend application that does not have to scale, I do not care about this extra database lookups. However when I have hundred thousands of users I should care. You have to consider this when you architect your application. Applications that need to scale like to use e.g. redis as a session store for optimization.
所以要回答您的问题,是的,可以在会话对象中存储用户名等,以避免额外的数据库查找.我不是安全专家,但是我不建议在会话中存储任何敏感的用户信息,例如密码.
So to answer your question, yes it is okay to store username etc. in the session object to avoid extra database lookups. I am not a security expert, but I would not suggest to store any sensitive user information in the session like passwords.
顺便说一句,我强烈建议使用 http://passportjs.org/.它与风帆的融合非常好.
BTW I highly recommend using http://passportjs.org/. It integrates with sails very well.
让您入门:
- http://iliketomatoes.com /implement-passport-js-authentication-with-sails-js-0-10-2/
- https://www.airpair.com/express/posts/expressjs-and-passportjs-sessions-deep-dive
- http://iliketomatoes.com/implement-passport-js-authentication-with-sails-js-0-10-2/
- https://www.airpair.com/express/posts/expressjs-and-passportjs-sessions-deep-dive
在此示例中,您可以看到用户名,电子邮件和用户角色如何存储在会话对象中:
In this example you can see how username, email and the roles of the user are stored in the session object:
passport.serializeUser(function(user, done) {
var sessionUser = { _id: user._id, name: user.name, email: user.email, roles: user.roles }
done(null, sessionUser);
});
这篇关于是否可以在Sails.js会话中存储完整的用户信息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
