如何从客户端访问cookie会话？ [英] How can I access cookie-session from client side?

问题描述

我正在使用NodeJS构建应用程序单个页面，并想使用我的cookie会话（cookie-session npm）来验证用户是否登录。我可以从节点服务器端获取并设置会话cookie，但是我不知道如何从客户端获取。

I am building an application single page using NodeJS, and want to use my cookie session (cookie-session npm) to verify if the user is logged in or not. From my node server side I can get and set the session cookie, but I do not know how to get from my client side.

这是我从服务器端进行设置的方式：

This is how I am setting up from my server side:

req.session.user_id = user[0]._id;

user [0] ._ id 在哪里我从mongodb获得的用户ID。

Where user[0]._id is my user id that I get from my mongodb.

推荐答案

因此，假设您已配置 cookie-会话像这样：

So let's assume you've configured cookie-session something like this:

var cookieSession = require('cookie-session');

app.use(cookieSession({
    keys: ['secret']
}));

然后让我们在会话中存储一些数据：

Then let's store some data in the session:

req.session.user_id = 123;

如果您在浏览器的开发工具中查看，则会看到2个cookie：

If you look in your browser's dev tools you'll see 2 cookies set:

express:sess = eyJ1c2VyX2lkIjoxMjN9
express:sess.sig = 01I_Rx2gACezZI1tdl2-NvxPq6w

cookie express：sess 是base64编码的。如果我们对其解码，则会得到 { user_id：123} 。重要的是要了解会话数据是存储在cookie本身中的-这不仅仅是会话的id。

The cookie express:sess is base64 encoded. If we decode it we get {"user_id":123}. It's important to appreciate that the session data is being stored in the cookie itself - this isn't just an id for the session.

另一个cookie express：sess.sig 是签名。此签名是使用密钥（在此示例中为 secret ）生成的，用于帮助防止篡改。任何人都可以轻松修改 express：sess ，但是除非他们也可以生成相应的 express：sess.sig 服务器

The other cookie, express:sess.sig, is the signature. This signature is generated using the key (secret in this example) and is used to help prevent tampering. It's easy for anyone to modify express:sess but unless they can also generate the corresponding express:sess.sig the server will know it's been changed.

所有这些，我建议您看看 express-session 中间件。这也使用cookie，但仅使用cookie来存储会话ID。 Cookie中没有存储任何数据，而所有数据都存储在服务器上。这与会话在大多数其他Web框架中的工作方式非常相似，但是我无法确定哪种方法最适合您的需求。

All that said, I suggest you take a look at the express-session middleware. That also uses cookies but it only uses them to store the session id. No data is stored in the cookie, that is all stored on the server. This is much more akin to how sessions work in most other web frameworks but I can't say for certain which approach is best suited to your needs.

您使用哪种方法Cookie，默认情况下设置为 httponly 。您将可以在浏览器的开发工具中对此进行验证。这意味着它已包含在HTTP请求中，但无法通过客户端JavaScript访问。这是一种安全措施，旨在使恶意代码更难以窃取Cookie。您可以使用以下命令在 cookie会话中禁用此安全功能：

Whichever approach you use the cookie with be set to httponly by default. You'll be able to verify this in your browser's dev tools. This means that it's included on HTTP requests but isn't accessible via client-side JavaScript. This is a security measure designed to make it more difficult for malicious code to steal the cookie. You can disable this security feature in cookie-session using:

app.use(cookieSession({
    httpOnly: false,
    keys: ['secret']
}));

然后您就可以使用 document.cookie 。

我重申这是一项安全措施，不建议将其关闭。我无法判断这是否是您的应用程序中的真正问题。

I reiterate that this is a security measure and turning it off isn't recommended. It's impossible for me to judge whether this is a genuine concern in your application.

从您的问题中尚不清楚您是否真正想从应用程序中解析值。 cookie或仅检查其存在。如果需要解析它，则需要对basecookie值进行base64解码，然后对其进行JSON解码。

It isn't clear from your question whether you actually want to parse the values out of the cookie or just check for its existence. If you need to parse it then you'll need to base64 decode the relevant cookie value and then JSON decode it.

您可以采用多种替代方法来保持Cookie httponly 。如果不了解您将如何处理这些信息，就很难具体说明。如果您使用的是Express视图（即模板渲染），则可以在模板中完成所有工作。如果您位于SPA领域，则可以使用AJAX请求来收集相关信息。在紧要关头，您甚至可以使用另一个cookie为您提供所需的信息，同时确保会话cookie的安全。

There are various alternative approaches you might adopt to keep the cookies httponly. Without knowing more about what you're going to do with this information it's difficult to be specific. If you're using Express views (i.e. template rendering) then you can do all the work in the template. If you're in SPA territory then you could maybe use an AJAX request to gather the relevant information. At a pinch you could even use another cookie to give you the information you need while keeping the session cookies safe.

这篇关于如何从客户端访问cookie会话？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！