我正在使用最新版本的node.js和session.socket.io,这就是我设置会话的方式(请注意我没有使用HTTPS连接,所以没有secure: true
):< / p>
app.configure(function() {
app.use(cookieParser);
app.use(express.session({
signed: true,
store: sessionStore,
secret: 'SECRET',
cookie: {
maxAge: 24 * 60 * 60 * 1000,
httpOnly: true
}
}));
});
var sessionSockets = new SessionSockets(io, sessionStore, cookieParser);
// Later
sessionSockets.on('connection', function(error, socket, session) {
// session could be used here to detect if user is logged in
// e.g. login: session.name = 'x'; session.save();
// e.g. checkIfLoggedIn: if (session.name) return true;
});
我的代码是否安全/正确或我如何验证用户是否真的已登录?
是否可以/建议更改客户端上的sid
cookie(因为它提到了here)?
答案 0 :(得分:17)
我知道这有点老了,但对于未来的读者,除了@kentcdodds描述的解析cookie并从存储中检索会话的方法(例如我自己的passport.socketio模块)之外,您可能还会考虑基于令牌的方法。
在这个例子中,我使用非常标准的JSON Web Tokens。您必须向客户端页面提供令牌,在此示例中,假设一个返回JWT的身份验证端点:
var jwt = require('jsonwebtoken');
// other requires
app.post('/login', function (req, res) {
// TODO: validate the actual user user
var profile = {
first_name: 'John',
last_name: 'Doe',
email: 'john@doe.com',
id: 123
};
// we are sending the profile in the token
var token = jwt.sign(profile, jwtSecret, { expiresInMinutes: 60*5 });
res.json({token: token});
});
现在,您的socket.io服务器可以配置如下:
var socketioJwt = require('socketio-jwt');
var sio = socketIo.listen(server);
sio.set('authorization', socketioJwt.authorize({
secret: jwtSecret,
handshake: true
}));
sio.sockets
.on('connection', function (socket) {
console.log(socket.handshake.decoded_token.email, 'has joined');
//socket.on('event');
});
socket.io-jwt中间件需要查询字符串中的标记,因此从客户端开始连接时只需附加它:
var socket = io.connect('', {
query: 'token=' + token
});
我写了一个关于这种方法和cookies here的详细解释。
答案 1 :(得分:12)
我建议避免重新发明轮子并使用PassportJS之类的库。有一个专门用于使用PassportJS和Socket.io here的模块(虽然我目前正在开发一个我很快就需要它的项目,但我从未使用过这个模块)。我使用过PassportJS,非常简单。我会推荐这个。
答案 2 :(得分:-3)
使用Passport进行用户身份验证和会话存储
var express = require('express'),
routes = require('./routes'),
api = require('./routes/api'),
http = require('http'),
path = require('path'),
mysql = require('mysql'),
passport = require('passport'),
LocalStrategy = require('passport-local').Strategy;
//MySQL
var sqlInfo = {
host: 'localhost',
user: 'root',
password: '',
database: 'dbname'
}
global.client = mysql.createConnection(sqlInfo);
client.connect();
var app = module.exports = express();
/**
* Configuration
*/
// all environments
app.set('port', process.env.PORT || 3000);
app.set('views', __dirname + '/views');
app.set('view engine', 'jade');
app.use(express.logger('dev'));
app.use(express.bodyParser());
app.use(express.methodOverride());
app.use(express.static(path.join(__dirname, 'public')));
app.use(express.cookieParser("secret"));
app.use(express.session({
secret: 'keyboard cat'
}));
app.use(passport.initialize());
app.use(passport.session());
app.use(app.router);
passport.use(new LocalStrategy(
function(username, password, done) {
return check_auth_user(username,password,done);
}
));
// development only
if (app.get('env') === 'development') {
app.use(express.errorHandler());
}
// production only
if (app.get('env') === 'production') {
// TODO
}
/**
* routes start---------------------------------------------------------------
*/
// home page contain login form
app.get('/home', function(reg, res){
//check user session value, is logged in
if(req.user)
res.render('dash',{
username: req.user['member_id']//req.user array contains serializeUser data
});
else
res.render('index');
});
app.get('/logout', function(req, res){
req.logout();
res.redirect('/home');
});
//login form submit as post
app.post('/login',
passport.authenticate('local', {
successRedirect: '/dashboard',
failureRedirect: '/home'
})
);
//to project dashboard
app.get('/dash',routes.dash);
//to project dashboard
app.get('/signup',routes.signup);
//to project dashboard
app.get('*', routes.index);
/**
* routes end---------------------------------------------------------------------
*/
/**
* Start Server
*/
http.createServer(app).listen(app.get('port'), function () {
console.log('Express server listening on port ' + app.get('port'));
});