护照js如何在会话中存储用户对象? [英] How does passport js stores user object in session?
问题描述
Express加载会话数据并将其附加到要求。由于护照将序列化用户存储在会话中,可以在req.session.passport.user中找到序列化的用户对象。
但是令我惊讶的是,在登录之前和之后,浏览器Cookie中sessionID存储的值保持不变。那么序列化用户对象在哪里存储?我以为它最初存储在用户sessionid cookie中,但似乎不是这样,因为我仍然可以使用 req.session.passport.user
$ b访问我的用户对象$ b
那么序列化的用户对象存放在哪里?
简短
序列化的用户对象存储在 req.user 由 PassportJS 取自 req.session.passport.user (由...填充 Express )在 Passport的 deserializeUser 方法的帮助下。
Express 将会话对象的ID添加到用户浏览器的cookie中,该cookie发送回表达每个请求的标题。 Express 然后从标题中获取ID,并搜索会话存储(即Mongo或其他),并找到该条目并将其加载到 req.session 。
PassportJS 使用 req.session 通过 serializeUser 和 deserializeUser 方法的帮助来跟踪身份验证的用户(更多关于 serializeUser 和 deserializeUser 的工作流程信息,请参阅本文中的答案问题)。
Express 负责创建会话。 因此,您在应用程序会话和护照 c $ c>或 server.js 文件非常重要。如果你声明你的会话和护照配置上面 static directory configs 那么对静态内容的所有请求也将获得一个会话,这不是很好。
看到我的答案这个问题,我曾经提到有关静态内容访问以及如何有选择地将护照应用于某些路由,而不是默认值(您可能不需要验证所有路由),因此您可以避免不必要的会话存储查找和解除序列化通过将会话仅附加到映射到安全URL的请求,请参见下文)。
//有选择地将护照复制到安全网址
app.use(function(req,res,next){
if(req.url.match('/ xxxx / secure'))
passport.session()(req,res,next)
else
next(); / /不要求护照
});
有一个惊人的教程,如果您想了解PassportJS的工作流程,我强烈建议您阅读。
I am using node/express with passport in my development. I came across an article which says:
Express loads the session data and attaches it to the req. As passport stores the serialised user in the session, the serialised user object can be found at req.session.passport.user.
But to my surprise, the value for sessionID stores in the browser cookies remain the same before and after login. So where does the serialised user object is stored? I thought that it was stored in the user sessionid cookie initially but it seems that this is not the case as i still can access my user object with req.session.passport.user
So where does the serialised user object is stored?
In Short
The serialized user object is stored in req.user by PassportJS taken from req.session.passport.user (which is is populated by Express) with the help of Passport's deserializeUser method.
Express adds the id of the session object into a cookie on user's browser, which is sent back to express in a header on every request. Express then takes the id from the header and search the session store (i.e. Mongo or whatever) and find the entry and load it to req.session.
PassportJS uses the content of req.session to keep track of the authenticated user with the help of serializeUser and deserializeUser methods (for more information on workflow of serializeUser and deserializeUser see my answer in this SO question).
Express is responsible for creating the session. when does the sessions gets created? That is when Express do not detect a session cookie. So the order in which you organize your session and passport configs in your app or server.js file is very important. If you declare your session and passport configs above static directory configs then all requests for static content will also get a session, which is not good.
See my answer to this SO question, where I have mentioned about static content access as well as how to selectively apply passport to certain routes, rather than default (you might not need to authenticate all the routes - hence you could avoid unnecessary session store lookup and de-serialization by attaching session only to requests that map to secure URLS see below).
//selectively applying passport to only secure urls
app.use(function(req, res, next){
if(req.url.match('/xxxx/secure'))
passport.session()(req, res, next)
else
next(); // do not invoke passport
});
There is one amazing tutorial that I highly recommend you to read up if you want to understand the workflow of PassportJS.
这篇关于护照js如何在会话中存储用户对象?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
