快速会话安全:true [英] express-session secure: true

问题描述

app.use(session({
    secret: "testing credentials",
    store: sessionStore,
    resave: true,
    saveUninitialized: true,
    cookie  : {
        httpOnly: true,
        //secure: true,
        maxAge  : 60 * 60 * 1000 
    }
}));

我正在解决我新开发的网站上的一些安全问题.并且在网上查了一些资料，如果设置了secure=true，那就更安全了.然而，如果设置secure: true，则每次用户发送另一个请求时，会话中的信息都会丢失.有没有办法解决这个问题?如果 cookie: 中不包含secure: true"，则会话将持续该 maxAge.

I'm working on some security problems on my newly developed website. And after done some research online, if secure=true is set, then it will be more secure. However, If set secure: true, then information inside session will lose every time when the user send another request. Is there a way to solve this problem? If doesn't include "secure: true" in the cookie: , then the session will last for that maxAge.

推荐答案

如果 cookie 设置了 secure 标志，它只会被浏览器通过 https 发送到服务器，而不是普通的http.这应该是生产环境的默认设置.

If a cookie is set with the secure flag, it will only be sent to the server by the browser over https, and not plain http. This should be the default for production environments.

但是，在开发应用程序时，您可能会在开发机器上使用普通的 http.如果您在这种情况下将会话 cookie 设置为 secure(使用普通 http)，服务器将永远不会收到它，并且您会在每次请求时遇到一个新的空会话.

However, when developing an app, you probably use plain http on your dev machine. If you set your session cookie as secure in this case (using plain http), the server will never receive it, and you will experience a new empty session on each request.

简而言之，如果您使用 https(即在开发管道的后期阶段，并且肯定在生产中)，您应该只将 cookie 设置为 secure.

So in short, you should only set the cookie as secure if you are using https (that is, in later stages of your development pipeline, and definitely in production).

另外请注意，如果您设置 maxAge，cookie 将被持久化，这不是会话 cookie 的最佳做法.如果没有 maxAge，cookie 将一直保留到用户关闭浏览器，并且通常不会持久化到磁盘，这是会话 cookie 的正确行为.

On another note, if you set maxAge, the cookie will be persisted, which is not the best practice for session cookies. Without maxAge, the cookie will be kept until the user closes the browser and not normally persisted to disk, which is the correct behaviour for session cookies.

这篇关于快速会话安全:true的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！