什么是“签名”连接/ expressjs中的cookies? [英] What are "signed" cookies in connect/expressjs?
问题描述
我正在试图找出签名的Cookie实际上是什么。
网络上没有太多,如果我尝试这样做:
I am trying to figure out what "signed cookies" actually are. There isn't much on the net, and if I try this:
app.use(express.cookieParser('A secret'));
但仍然...浏览器上的Cookie仍然是100%正常,我不是真的知道什么签名在这里(我希望看到客户端的一些奇怪的东西,像使用秘密加密的数据作为盐?)
But still... Cookies are still 100% normal on the browser, and I don't really know what "signed" is here (I was sort of hoping to "see" some weirdness on the client, something like the data encrypted using "A secret" as salt?)
文档说明( https://github.com/expressjs/cookie-parser ):
解析 Cookie 标题并填充
req.cookies
与一个由cookie名称键入的对象。
您可以通过传递
a密码字符串来启用签名的Cookie支持,该字符串分配req.secret所以
它可能被其他中间件使用。
Parse Cookie header and populate
req.cookieswith an object keyed by the cookie names. Optionally you may enabled signed cookie support by passing asecretstring, which assignsreq.secretso it may be used by other middleware.
有没有人知道?
Merc。
推荐答案
该cookie仍然可见,但它有一个签名,所以它可以检测如果客户端修改了cookie。
The cookie will still be visible, but it has a signature, so it can detect if the client modified the cookie.
它的工作原理是创建一个HMAC的值(当前cookie),base64编码。当cookie被读取时,它重新计算签名并确保它与附加的签名相匹配。
It works by creating a HMAC of the value (current cookie), and base64 encoded it. When the cookie gets read, it recalculates the signature and makes sure that it matches the signature attached to it.
如果它不匹配,那么它将给出错误。
If it does not match, then it will give an error.
如果你想隐藏cookie的内容,你应该加密它(或者只是将其存储在服务器端会话中)。我不知道是否有中间件已经在那里或不存在。
If you want to hide the contents of the cookie as well, you should encrypt it instead (or just stores it in the server side session). I'm not sure if there is middleware for that already out there or not.
修改
要创建一个签名的cookie,您将使用
And to create a signed cookie you would use
res.cookie('name', 'value', {signed: true})
要访问已签名的Cookie,请使用 signedCookies 对象 req :
And to access a signed cookie use the signedCookies object of req:
req.signedCookies['name']
这篇关于什么是“签名”连接/ expressjs中的cookies?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
