Express-Session Cookie隐藏在哪里? [英] Where is the express-session cookie hidden?

问题描述

我的express-session正在工作，我以非常短的cookie最长寿命(10秒)对其进行了测试，并且可以正常工作:

My express-session is working, I tested it with a very short cookie max-age (10 secs) and it works as intended:

app.use(session({
  secret: 'xxx',
  resave: false,
  saveUninitialized: true,
  cookie: { secure: true, maxAge: 10000 }
}));

奇怪的是，我无法在Chrome开发者工具的任何地方找到Cookie. express-session设置的cookie在哪里隐藏?

The strange thing is, that I can't find the cookie anywhere in my Chrome Developer Tools. Where is the cookie set by express-session hidden?

更新#2: 查看我自己的答案如果您想知道在哪里看到Cookie，如果您要将ajax request发送到另一个域上的express server.

update #2: See my own answer if you want to know where to see the cookie if you are sending an ajax request to an express server on another domain.

更新-我的快递服务器上的会话管理:

app.post('/verify', function(req, res){
    let out = [];

    if(!req.session.userId){

        if(typeof req.body.token !== 'undefined'){
            admin.auth().verifyIdToken(req.body.token)
            .then(function(decodedToken) {
              let uid = decodedToken.uid;

              if(!req.session.userId){
                  req.session.userId = uid;
              }

              res.send(uid);
              // ...
            }).catch(function(error) {
              // Handle error
              res.send(error);
            });
        }else{
            res.send('no token received');
        }
    }else{
        res.send('already logged in by session with uid: ' + req.session.userId + ' | session id: ' + req.session.id);
    }
});

这就是服务器启动"的方式:

and that's how the server is "started":

app.listen(port, function () {
  console.log('Example app listening on port ' + port + '!');
});

问题是该会话可以工作，但是我看不到cookie:

the problem is that the session(s) work, but I am not able to see the cookie(s):

推荐答案

TL; DR

您可以在Chrome DevTools中的以下位置找到Cookie:
Application> Storage> Cookies> URL of the express Server

TL;DR

You can find the Cookie in the Chrome DevTools under:
Application > Storage > Cookies > URL of the express Server

为了显示express的cookie是否正确存储，我从一个简单的测试服务器开始.请注意，您在问题中使用了cookie.secure = true，这需要与服务器建立https连接.否则，cookie将被浏览器立即删除.因此，让我们使用这个简单的例子:

To show that the cookies of express are stored correctly, I've start with a simple test server. Note that you used cookie.secure = true in your question, which requires a https connection to the server. Otherwise, the cookie will be dropped immediately by the browsers. So let's use this simple one:

let fs = require('fs');

let privateKey  = fs.readFileSync('../../../apache/conf/ssl.key/server.key', 'utf8');
let certificate = fs.readFileSync('../../../apache/conf/ssl.crt/server.crt', 'utf8');
let credentials = {key: privateKey, cert: certificate};

let https = require('https');
let app = require('express')();
let session = require('express-session');

app.use(session({
    secret: 'keyboard cat',
    resave: false,
    saveUninitialized: true,
    cookie: {secure: true, maxAge: 10000}
}));

app.all('*', function(req, res) {
    res.status(200);
    res.setHeader('Content-Type', 'text/html');

    if (!req.session.views) {
        req.session.views = 0;
    }

    req.session.views++;
    res.write('<p>views: ' + req.session.views + '</p>');
    res.end();
});

https.createServer(credentials, app).listen(8080);

正常工作后，您应该能够在浏览器中打开https://localhost:8080并看到类似views: 1的内容.

When working correctly, you should be able to open https://localhost:8080 in your browser and see a content like views: 1.

刷新浏览器时，每次请求都应增加计数.未经请求的Cookie的最长生存期为10秒.在此时间之后，计数将再次从1开始.

When refreshing the browser, the count should be increased with every request. The max lifetime of the cookie without request is 10 seconds long. After this time, the count will start at 1 again.

在10秒钟的生命周期内，您可以在Chrome DevTools中的Application> Storage> Cookies> URL of the express Server下看到cookie.当然，在这种情况下，cookie的值是加密的.

Within the 10 seconds lifetime, you can see the cookie under Application > Storage > Cookies > URL of the express Server inside of the Chrome DevTools. The value of the cookie in this case is encrypted, of course.

如您稍后所述，您的问题属于AJAX电话.总的来说，与上述相同.您甚至可以在Storage> Cookies选项卡中甚至看到AJAX创建的cookie.但仅当您的cookie配置正确且属于同一域时，即可.

As you mentioned later, your question belongs to AJAX calls. In general, it's all the same as above. You can see even AJAX created cookies instantly in the Storage > Cookies tab. But only, if your cookie is configured correctly and belongs to the same domain.

Storage选项卡中的cookie由cookie domain和cookie path选择.该列表将显示并更新与模式匹配的所有内容.因此，在您的示例中，cookie似乎与请求页面不匹配.

The cookies in the Storage tab are selected by the cookie domain and the cookie path. The list will be show and update everything that matches the pattern. So it seems, in your example, that the cookie don't match the requesting page.

正如您在页面上看到的那样，您正在打开带有ULR https://***.firebaseapp.com的页面，并向https://***.herokuapp.com/verify/发出AJAX请求，这是两个完全不同的域.这就是为什么您没有在Storage标签中看到它们的原因！

As I saw on your page, you are opening the page with the ULR https://***.firebaseapp.com and do a AJAX request to https://***.herokuapp.com/verify/, which are two complete different domains. That's why you don't see them in the Storage tab!

如果仍然无法使用，请在使用相同域时在session配置中设置cookie.path.然后，所有操作均应如上所述进行. ;)

If this will still not work, when using the same domain, set a cookie.path in your session configuration. Then everything should be work as described above. ;)

这篇关于Express-Session Cookie隐藏在哪里?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！