什么是“签名” connect / expressjs中的cookie? [英] What are "signed" cookies in connect/expressjs?
问题描述
我想弄明白什么是签名的cookies。
网上没有太多,如果我尝试这样:
I am trying to figure out what "signed cookies" actually are. There isn't much on the net, and if I try this:
app.use(express.cookieParser('A secret'));
但仍然... Cookies在浏览器上仍然是100%正常,我不是真的知道什么是签名在这里(我希望在客户端看到一些奇怪的东西,像使用秘密作为盐加密的数据)。
But still... Cookies are still 100% normal on the browser, and I don't really know what "signed" is here (I was sort of hoping to "see" some weirdness on the client, something like the data encrypted using "A secret" as salt?)
文档说明( https://github.com/expressjs/cookie-parser ):
解析标题并填入
req.cookies
由Cookie名称键入的对象。可选的
你可以通过传递
asecret字符串来启用签名的cookie支持,它分配req.secret
它可能被其他中间件使用。
Parse Cookie header and populate
req.cookieswith an object keyed by the cookie names. Optionally you may enabled signed cookie support by passing asecretstring, which assignsreq.secretso it may be used by other middleware.
有人知道吗?
Merc。
推荐答案
Cookie仍然可见,但它有签名,如果客户端修改了cookie。
The cookie will still be visible, but it has a signature, so it can detect if the client modified the cookie.
它的工作原理是创建一个HMAC的值(当前cookie),并base64编码。当cookie被读取时,它重新计算签名,并确保它匹配附加到它的签名。
It works by creating a HMAC of the value (current cookie), and base64 encoded it. When the cookie gets read, it recalculates the signature and makes sure that it matches the signature attached to it.
如果不匹配,那么它会给出一个错误。
If it does not match, then it will give an error.
如果你想隐藏cookie的内容,你应该加密它(或者只是存储在服务器端会话)。我不知道是否有已经存在的中间件。
If you want to hide the contents of the cookie as well, you should encrypt it instead (or just stores it in the server side session). I'm not sure if there is middleware for that already out there or not.
编辑
要创建一个签名的cookie,你将使用
And to create a signed cookie you would use
res.cookie('name', 'value', {signed: true})
要访问签名的cookie,请使用 signedCookies req 的对象:
And to access a signed cookie use the signedCookies object of req:
req.signedCookies['name']
这篇关于什么是“签名” connect / expressjs中的cookie?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
