问题
As per this article
http://toon.io/understanding-passportjs-authentication-flow/
it looks as though PassportJS/Express store the logged in user in two places
req.user
and
req.session.passport.user
why both? which one should I use? When I logout with passport, does it destroy both req.user and req.session.passport.user?
回答1:
You should always, always use req.user in your own code -- this is important because if you use req.session.passport.user, you're essentially pulling user information out of a session cookie (which may be outdated).
It's always best to rely on req.user as opposed to cookie data directly, as depending on your implementation, that information might be out of date.
And to answer your question: if you log a user out, both req.session and req.user will no longer be available.
来源:https://stackoverflow.com/questions/27055744/express-passport-js-req-user-versus-req-session-passport-user