1. 技术文章
  2. What's difference with express-session and cookie-session?

What's difference with express-session and cookie-session?

…衆ロ難τιáo~ 提交于 2019-12-03 00:53:25

问题


I am new with Express. As Express 4.x has removed bundled middlewares. Any middleware I want to use should be required. When I read the README with express-session and cookie-session on github, I feel it hard to understand the difference.

So I try to write simple code to figure it out. I run twice for each middleware.

var express = require('express')
  , cookieParser = require('cookie-parser')
  , session = require('cookie-session')
  , express_sess = require('express-session')
  , app = express();

app.use(cookieParser())
app.use(session({ keys: ['abc'], name: 'user' }));
//app.use(express_sess({ secret: 'abc', key: 'user'}));
app.get('/', function (req, res, next) {
    res.end(JSON.stringify(req.cookies));
    console.log(req.session)
    console.log(req.cookies)
});

app.listen(3000);

For cookie-session, I always get {} in my terminal.

For express-session, I get things like this.

req.session: { cookie: { 
     path: '/',
     _expires: null,
     originalMaxAge: null,
     httpOnly: true 
   } 
}

req.cookie: {user: 's:aJ97vKA5CCwxqdTj0AV1siRQ.fWusS5+qfCKICtwkfrzcZ/Gq8P0Qdx/kx8mTBhoOhGU'}

It really confuses me. So how to explain the result with the basic use? And what's the difference between them? When should I use them?


回答1:


Basically, express-session is more abstract, it supports different session stores (like files, DB, cache and whatnot).

And cookie-session is a simple / lightweight cookie-based (cookie is the only storage engine supported: all the session info is stored on the client, in a cookie) session implementation. This kind of sessions is probably most famous for its Rails implementation.




回答2:


The basic difference between both these relates to how and where is the session data being stored. Cookie session is basically used for lightweight session applications where the session data is stored in a cookie but within the client [browser], whereas, Express Session stores just a mere session identifier within a cookie in the client end, whilst storing the session data entirely on the server. Cookie Session is helpful in applications where no database is used in the back-end. However, the session data cannot exceed the cookie size. On conditions where a database is used, it acts like a cache to stop frequent database lookups which is expensive.




回答3:


express-session stores the session identifier in the cookie while the actual session data resides in backend session store like connect-redis, where as cookie-session allows you to store the session data in a cookie (client-side).

From the documentation of cookie-session:

A user session can be stored in two main ways with cookies: on the server or on the client. This module stores the session data on the client within a cookie, while a module like express-session stores only a session identifier on the client within a cookie and stores the session data on the server, typically in a database.

The main advantage of using cookie-session is when you have a clustered node.js app, then you don't have to rely on sharing session data between forked processes.




回答4:


Let me share an important difference I found: secure cookies.

I have a node process behind an nginx proxy which handles SSL.

I tried with express-session, but I could not enable secure cookies, see issue here.

Then I tried with almost the same code, but with cookie-session instead, something like

   const expressSession = require('cookie-session')

   var expiryDate = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days

    const session = expressSession({
      secret: sessionSecret,
      resave: false,
      saveUninitialized: true,
      cookie: {
        secureProxy: true,
        httpOnly: true,
        domain: 'example.com',
        expires: expiryDate
      }
    })

    app.use(session)

I just changed require('express-session') to require('cookie-session') and added secureProxy: true,: everything worked out of the box.

Note also that both packages are maintained by expressjs so probably in my use case I was lucky finding out that cookie-session fits my needs.




回答5:


The get a non-empty console.log(req.session) you need to set session values before logging.

From the cookie-session repo (https://github.com/expressjs/cookie-session):

app.get('/', function (req, res, next) {
 req.session.views = (req.session.views || 0) + 1
 console.log(req.session)
 res.end(req.session.views + ' views')
})

If you never set any info on the req.session object, it will return empty.




回答6:


v4-> cookie-session is (Establish cookie-based sessions.) equals in ->v3 express.cookieSession

v4-> express-session is (Establish server-based sessions (development only)). equals in ->v3 express.session



来源:https://stackoverflow.com/questions/23566555/whats-difference-with-express-session-and-cookie-session

标签
node.js
session
cookies
express
connect
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!