在nodejs mongostore中的子域中维护登录会话 [英] Maintaining login session across subdomains in nodejs mongostore

问题描述

我正在开发一个nodejs Web应用程序，因为我有多个子域名，如domain.com，sub1.domain.com，sub2.domain.com等。

如果用户登录到sub1.domain.com并被重定向到domain.com或sub2.domin.com它将给予没有登录，

我如何在子域和主域维护此会话？

我正在使用express，nodejs，mongodb。

  app.use（session（{
 secret：secrete key，
 store：new MongoStore（{
 db：session-db 
}）
}））; 
  

我尝试像这样设置，没有工作：

  app.use（session（{
 secret：secret key，
 cookie：{domain：'。yourdomain.com'}， //这里我使用'.localhost'
 store：new MongoStore（{
 db：session-db
}）
}））; 
  

解决方案

不建议您所要求的，例如： 在子域和域之间共享Cookie

您真正想要的是单点登录（SSO）。

在Node中有两种方式来执行SSO（我知道，可能还有其他的工具，我从来没有听说过）：

• 自己编写代码。基本上你会做的是设置一个域名，如login.mysite.com，您将用户重定向到身份验证。通过验证后，您可以生成 JWT 然后将用户重定向到othersubdomain.mysite.com/?token=xxx，其中xxx是您的JWT。这样，您的othersubdomain项目可以验证JWT是否有效，并将用户记录在该地址。


• 使用像 express-stormpath 及其SSO功能（描述 here ）。这是一个付费服务（它有一个免费的计划，虽然），这样做为你100％。

我是作者的express-stormpath图书馆，所以我有点偏见，但一般来说，SSO的东西实际上是相当复杂的，并且有很多潜在的问题不正确地实施它。

I'm developing a nodejs web application, in that I have multiple subdomains like domain.com, sub1.domain.com, sub2.domain.com etc.

if user logs in to sub1.domain.com and gets redirected to domain.com or sub2.domin.com it will give as not logged in,

How can I maintain this session across sub-domains and in main-domain?

I'm using express, nodejs, mongodb.

app.use(session({
    secret: "secrete key",
    store: new MongoStore({
        db: "session-db"
    })
}));

I tried setting up like this, didn't work:

app.use(session({
    secret: "secret key",
    cookie: { domain:'.yourdomain.com'}, // here I used '.localhost'
    store: new MongoStore({
        db: "session-db"
    })
}));

解决方案

What you're asking is not recommended, eg: Share cookie between subdomain and domain

What you really want, is Single Sign On (SSO).

There are two ways to do SSO in Node (that I'm aware of, there are probably other tools out there that I've never heard of):

• Write the code yourself. Basically what you'll do is setup a domain like login.mysite.com which you redirect users to for authentication. Once they're authenticated, you generate a JWT and then redirect the user to othersubdomain.mysite.com/?token=xxx where xxx is your JWT. This way, your othersubdomain project can verify the JWT is valid, and log the user in there as well.
• Use a library like express-stormpath with their SSO feature (described here). This is a paid service (it has a free plan though), which does this stuff for you 100%.

I'm the author of the express-stormpath library, so I'm a bit biased, but in general, SSO stuff is actually quite complex, and there are a lot of potential issues implementing things incorrectly with it.

这篇关于在nodejs mongostore中的子域中维护登录会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！