req.session.destroy和护照注销不会破坏客户端的cookie [英] req.session.destroy and passport logout aren't destroying cookie on client side
问题描述
我正在尝试销毁客户端上的Cookie,但似乎不知道该怎么做。我尝试了护照提供的几种方式以及在SO上提供的一些答案,但我对如何清除实际的cookie感到迷茫。
I'm trying to destroy the cookie on the client side but can't seem to figure out how to. I've tried the few ways that passport and some answers on SO provided but I'm at a loss as to how to clear the actual cookie.
到目前为止,我的代码是:
My code so far is:
app.get('/logout', function (req, res){
sessionStore.destroy(req.sessionID, (err) =>{
if(err)console.log(err);
req.logout();
req.session.destroy(function (err) {
if(err) console.log(err);
res.status(200).json({message : 'User Logged Out'});
});
});
});
我也尝试过 req.logOut(); 方法。
推荐答案
req.logout 不会清除会话,而是从会话中清除登录信息。登录后从我的会话存储中获取一个示例:
req.logout does not clear the session but instead it clears the login information from the session. An example from my session store after login:
> db.sessions.find().pretty();
{
"_id" : "LkuoFL_cwkvNO3foD_k0zQYADevcdwW6",
"session" : "{\"cookie\":{\"originalMaxAge\":null,\"expires\":null,\"httpOnly\":true,\"path\":\"/\"},\"passport\":{\"user\":\"test\"}}",
"expires" : ISODate("2018-06-05T17:31:54.631Z")
}
在会话中,您可以看到 JSON包含我从 passport.user serializeUser (用户名)返回的值。在调用 req.logout 之后,会话存储区仍保留该会话,但是缺少序列化的用户信息,即。我不再登录:
Here you can see that passport.user in the session JSON holds the value I returned from serializeUser (the username). After calling req.logout the session store still holds the session but the serialized user information is missing, ie. I'm not logged in anymore:
> db.sessions.find().pretty();
{
"_id" : "LkuoFL_cwkvNO3foD_k0zQYADevcdwW6",
"session" : "{\"cookie\":{\"originalMaxAge\":null,\"expires\":null,\"httpOnly\":true,\"path\":\"/\"},\"passport\":{}}",
"expires" : ISODate("2018-06-05T17:32:02.391Z")
}
如果我将注销路由处理程序更改为此:
If I change my logout route handler to this:
app.post('/logout', (req, res) => {
req.logout();
req.session.destroy((err) => res.redirect('/'));
});
我看到注销后,上面的会话消失了,但是创建了一个新会话,因为我登陆了在首页上启动新会话:
I can see that after logout the session above has disappeared but a new one was created because I landed on the front page and it starts a new session:
> db.sessions.find().pretty();
{
"_id" : "KIX2rypzvpRdqW7VlzO8B8W-FMXwffGT",
"session" : "{\"cookie\":{\"originalMaxAge\":null,\"expires\":null,\"httpOnly\":true,\"path\":\"/\"}}",
"expires" : ISODate("2018-06-05T17:38:01.136Z")
}
也<$ c $现在,浏览器中的c> connect.sid Cookie会保存新的会话密钥。
Also the connect.sid cookie in the browser now holds the new session key.
现在添加 clearCookie 。使用这样的注销处理程序:
Now add the clearCookie. With logout handler like this one:
app.post('/logout', (req, res) => {
req.logout();
req.session.destroy((err) => {
res.clearCookie('connect.sid');
// Don't redirect, just print text
res.send('Logged out');
});
});
单击注销按钮后,会话存储区为空(请注意,在例如):
the session store is empty after clicking the logout button (notice, that no further requests are performed in the example):
> db.sessions.find().pretty();
>
注销请求的响应标头显示已清除的cookie:
and the response headers of the logout request show a cleared cookie:
Set-Cookie:connect.sid =;路径= /; Expires = Thu,1970年1月1日00:00:00 GMT
现在,如果没有对服务器执行进一步的请求(新请求可能会即使不登录也可以开始新的会话),您再也不会在浏览器开发人员工具中看到 connect.sid cookie。
Now, if no further requests are performed to the server (new ones may start a new session even if not logged in) you should not see connect.sid cookie in the browse developer tools anymore.
这篇关于req.session.destroy和护照注销不会破坏客户端的cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
