浏览器后退按钮不会破坏 PassportJS + ExpressJS 中的会话.如何完全终止/终止会话? [英] Browser Back Button doesn't destroy the session in PassportJS + ExpressJS. How to kill/terminate the session entirely?

问题描述

我的注销机制的代码是

app.get('/logout', isLoggedIn, function(req, res) {
        req.logout();
        res.redirect('/');
    });

我正在使用使用密钥的 Express 会话包，没有在任何地方设置 Cookie.

Am using a Express-session package using a secret key, haven't set Cookies anywhere.

虽然我在注销后单击浏览器后退按钮，但它仍然允许用户返回到正在验证的页面.如何完全终止此会话?

While I click the browser Back button after logout, It still allows the user to go back to the page being authenticated. How do I terminate this session entirely?

isLoggedIn 只是通过 PassportJS 的 isAuthenticated 方法进行身份验证.这里的出路是什么?

isLoggedIn is just authenticating via PassportJS's isAuthenticated method. What is the way out here?

请帮忙.提前致谢.

这是会话 ID

推荐答案

将 Cache-control 标头设置为 no-cache conditionally已注销用户

Set the Cache-control headers to no-cache conditionally for logged out users

app.use(function(req, res, next) {
    if (!req.user)
        res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
    next();
});

这将强制浏览器获取页面的新副本，即使他们点击返回".

This will force the browser to obtain new copy of the page even when they hit "back".

注意:这是以为所有未登录的用户禁用缓存为代价的，为了这个答案，包括刚刚登录的用户出去.如果您不想为所有注销用户完全禁用缓存，您可能应该找到一种方法来区分这两者.有会话的东西..

Note: This comes at the cost of disabling cache for all users that aren't logged in, which for the sake of this answer includes the ones that just logged out. You should probably find a way to distinguish between the two if you don't want to disable cache entirely for all logged out users. Something with sessions..

如果你确定当用户回击时，'/login' 是他们将登陆的路线，那么你可以只在那里定义它，从而避免自己做的麻烦以上.

If you're sure that when user hits back, '/login' is the route that they will land on, then you can define it only there, thus saving yourself from the trouble of doing the above.

这段代码到底去哪儿了?

Where exactly does this code go?

app.get('/logout', isLoggedIn, function(req, res) {
    req.logOut();
    if (!req.user) 
        res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
    res.redirect('/login');
});

可以这样使用吗?

没有

app.get(或 app.use)定义你的路由.文档:http://expressjs.com/api.html#request

app.get (or app.use) defines your routes. Documentation: http://expressjs.com/api.html#request

app.get('/logout'... 将仅在路由 '/logout' 被请求时被执行客户.

app.get('/logout'... will only be executed if the route '/logout' is requested by the client.

app.use(...)(不指定任何路由)将对所有请求执行.

app.use(...) (without specifying any route) will be executed for all requests.

这些路由中间件"(正如它们所称的那样)也是依次执行的.(您将在上面提到的文档中了解更多信息)

These route "middlewares" (as they are called) are also executed in succession to one another. (you'll learn more in the docs mentioned above)

您希望在任何其他路由之前设置标头，以便无论其他路由呈现什么，都使用强行使用户缓存无效的标头呈现.

You want to set the headers before any other route, so that whatever those other routes render, is rendered with the header that forcibly invalidated the user's cache.

// > HERE <
// before all the other routes

app.get('/logout'...
app.get('/login'...
app.get('/'...
app.get('/stuff'...

这篇关于浏览器后退按钮不会破坏 PassportJS + ExpressJS 中的会话.如何完全终止/终止会话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！