发表新帖
发表新帖

Working with Sessions in Express.js

前端 未结
关注
2 1550
天命终不由人
天命终不由人 2020-12-22 22:17

I need help understanding the concept of sessions for a web application. I am running a Node.js server with Express 3.0.

My goals are to:

  • Create a s

相关标签:
2条回答
  • 情深已故
    2020-12-22 23:02

    Express has nice examples in the github repo. One of them deals with authentication and shows how to attach the user to the req.session object. This is done inside the app.post('/login') route.

    To limit access to certain pages add a simple middleware to those routes

    function restrict(req, res, next) {
  if (req.session.user) {
    next();
  } else {
    req.session.error = 'Access denied!';
    res.redirect('/login');
  }
}

app.get('/restricted', restrict, function(req, res){
  res.send('Wahoo! restricted area, click to <a href="/logout">logout</a>');
});

    As Brandon already mentioned you shouldn't use the MemoryStore in production. Redis is a good alternative. Use connect-redis to access the db. An example config looks like this

    var RedisStore = require('connect-redis')(express);

// add this to your app.configure
app.use(express.session({
  secret: "kqsdjfmlksdhfhzirzeoibrzecrbzuzefcuercazeafxzeokwdfzeijfxcerig",
  store: new RedisStore({ host: 'localhost', port: 3000, client: redis })
}));
    0 讨论(0)
  • 忘了有多久
    2020-12-22 23:16

    Use MemoryStore in express ONLY if you are not creating multiple instances (such as with the cluster module). If you are load balancing across machines, your load balancer will need to use sticky / persistent sessions.

    If you meet those requirements, then all you need to do is upon login, once the credentials are validated, set a session variable to indicate logged in, for example:

    req.session.loggedIn = true;

    If you want to check if a user is logged in, simply check that variable.

    if (req.session.loggedIn) {
    // user is logged in.
}
else {
    // user is not logged in.
}

    You mentioned preventing a single user from having sessions more than one session at a time. To achieve that, you may need to store something in a database indicating that the user is logged in. I warn you, this can be dangerous because of stale sessions. For example, what if a user logs in, but never logs out? What if they close their browser window so the session is gone forever?

    Express has no concept of an idle session expiration. I have implemented such a thing by storing all sessions in the database along with a last accessed timestamp and then periodically clean up the session data based on the time. But then you need to update your list of who is logged in as well.

    0 讨论(0)
 看不清?
提交回复
热议问题