问题
I'm using a quite straightforward setup of Express + Mongoose + Passport + Connect-mongo, and everything works fine. The only thing that is puzzling me, is that I can see the passport.unserializeUser called even for static files, which is - from my application point of view - absolutely pointless.
I can understand that there are cases where you want the static files to be served under some sort of authorization as well, but I wonder how I could "skip" the whole session middleware in case I'm serving a static file.
(In a production environment I could not use cookies for assets)
回答1:
Middleware is called upon in the order it was added. Just move the static middleware to be very early in your app.js.
For example:
app.use(express.static(__dirname + "/public"));
// any other middleware
app.use(passport()); // or whatever your passport config looks like
回答2:
You could serve the static files from another domain which does not store any cookies at all. That also means that you cannot do any (security) checks before serving those files.
This technique is used by various sites, such as StackOverflow, Facebook and LinkedIn.
来源:https://stackoverflow.com/questions/13791136/express-is-it-possible-to-bypass-sessions-for-static-files