我已经使用express和express-session以及express-sql-session了。当用户登录时,我已经在数据库中为会话创建了一行。这就是我设置的方式:
//login route handler
this.bcrypt.compare(password, row.hashed, function(err, passwordsMatch) {
if (passwordsMatch === true) {
console.log("user now logged in");
req.session.user = row;
req.session.success = 'User successfully logged in';
res.send(row);
res.end();
}
});
Hunky dory!我可以跳到我的会话表中并从数据库中获取行。这是:
{"cookie":{"originalMaxAge":600000,"expires":"2015-08-24T23:16:20.079Z","httpOnly":false,"path":"/"},
"user":{"userID":24,"userName":"g","email":"g","joinDate":"2015-08-24T07:15:33.000Z"},"success":"User successfully logged in"}
请注意,您可以看到已设置自定义使用对象。但是,在下一次获取某些数据的请求时,我会检查会话中的user对象:
// some other route called after login.
if (!req.session.user) {
console.log('user not authorized' + JSON.stringify(req.session));
res.send('not authorized');
return;
}
但是会记录(显然)空的会话。
user not authorized{"cookie":{"originalMaxAge":600000,"expires":"2015-08-24T23:27:13.455Z","httpOnly":false,"path":"/"}}
进入浏览器,我也看到资源面板中没有设置cookie。这不应该用express 4和session自动生成吗?文档说你不再需要expressCookie()和express 4了。如何在后续请求中获得正确的会话?
此外,如果我再次登录,它只会在会话表中创建一个重复的行。 如何在响应中正确设置Cookie以使其适用于下一个请求?
如果有帮助,这是我的会话配置:
// at the beginning of my node server
import express = require('express');
import bodyParser = require('body-parser');
import Q = require('q');
import mysql = require('mysql');
var app = express();
import bcrypt = require('bcrypt');
import userModule = require('./userModule')
var UserRepository = new userModule.UserNamespace.UserRepository(connectToMySQL, bcrypt, Q );
import session = require('express-session');
var SessionStore = require('express-sql-session')(session);
app.use(function (req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header('Access-Control-Allow-Credentials', 'true');
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
next();
});
app.use(bodyParser.urlencoded({ extended: false }))
app.use(bodyParser.json())
var storeOptions = {
client: 'mysql',
connection: {
host:SQLHOST,
port:SQLPORT,
user:SQLUSER,
password: SQLPASS,
database: SQLDB
},
table: SESSION_TABLE,
expires: 365 * 24 * 60 * 60 * 1000
};
var sessionStore = new SessionStore( storeOptions );
app.use(session({
secret: 'meeogog',
resave: false,
saveUninitialized: false,
cookie: { maxAge: 600000,httpOnly: false },
store: sessionStore
}));
...
app.post('/users/login/', function (req, res) {
UserRepository.loginHashed(req, res);
});
..and then more routes, and so forth
答案 0 :(得分:4)
在我得到这个之后,我发现它是使用localhost而不是在xhr请求上设置withCredentials的组合。本地主机是让我绊倒你必须使用完全限定的127.0.0.1并且令人头疼的是,http文件在不同的端口上提供,因此必须更改通配符以反映这一点。
所以...
//where the server runs on 127.0.0.1:3000 but the http runs from :9000
app.use(session({
name:'some_session',
secret: 'lalala',
resave: true,
saveUninitialized: false,
cookie: { maxAge: 365 * 24 * 60 * 60 * 1000,httpOnly: false , domain:'127.0.0.1:9000'},
store: sessionStore
}));
res.header("Access-Control-Allow-Origin", "http://127.0.0.1:9000");
//important
$http request (angular): useCredentials: true
答案 1 :(得分:2)
我曾经遇到过这个问题。
ps:以下所有代码均由:
提供刚开始使用护照: http://passportjs.org/
"passport": "~0.2.0",
"passport-facebook": "~1.0.2",
"passport-github": "~0.1.5",
"passport-google-oauth": "~0.1.5",
"passport-linkedin": "~0.1.3",
"passport-local": "~1.0.0",
"passport-twitter": "~1.0.2",
基本上我只是这样做: express.js
// CookieParser should be above session
app.use(cookieParser());
// Express MongoDB session storage
app.use(session({
saveUninitialized: true,
resave: true,
secret: config.sessionSecret,
store: new mongoStore({
db: db.connection.db,
collection: config.sessionCollection
})
}));
app.use( function (req, res, next) {
if ( req.method === 'POST' && (req.url === '/auth/signin'||req.url === '/auth/login') ) {
if ( req.body.rememberme ) {
req.session.cookie.maxAge = 2592000000; // 30*24*60*60*1000 Rememeber 'me' for 30 days
} else {
req.session.cookie.expires = false;
}
}
next();
});
// use passport session
app.use(passport.initialize());
app.use(passport.session());
创建passport.js
'use strict';
/**
* Module dependencies.
*/
var passport = require('passport'),
User = require('mongoose').model('User'),
path = require('path'),
config = require('./config');
/**
* Module init function.
*/
module.exports = function() {
// Serialize sessions
passport.serializeUser(function(user, done) {
done(null, user.id);
});
// Deserialize sessions
passport.deserializeUser(function(id, done) {
User.findOne({
_id: id
}, '-salt -password', function(err, user) {
done(err, user);
});
});
// Initialize strategies
config.getGlobbedFiles('./config/strategies/**/*.js').forEach(function(strategy) {
require(path.resolve(strategy))();
});
};
在策略文件夹里面我做了那些文件:
locals.js
`
'use strict';
/**
* Module dependencies.
*/
var passport = require('passport'),
LocalStrategy = require('passport-local').Strategy,
User = require('mongoose').model('User');
module.exports = function() {
// Use local strategy
passport.use(new LocalStrategy({
usernameField: 'email',
passwordField: 'password'
},
function(email, password, done) {
User.findOne({
email: email
}).select('-__v -notes -tags').exec(function(err, user) {
if (err) {
return done(err);
}
if (!user) {
return done(null, false, {
message: 'Unknown user or invalid password'
});
}
if (!user.authenticate(password)) {
return done(null, false, {
message: 'Unknown user or invalid password'
});
}
user.password = undefined;
user.salt = undefined;
user.notes = undefined;
user.tags = [];
return done(null, user);
});
}
));
};
最后登录我只是这样做:
user.auth.js
/**
* Signin after passport authentication
*/
exports.signin = function(req, res, next) {
console.log(req.body);
passport.authenticate('local', function(err, user, info) {
if (err || !user) {
res.status(400).send(info);
} else {
// Remove sensitive data before login
user.password = undefined;
user.salt = undefined;
user.notes = undefined;
user.tags = [];
user.resetPasswordToken = undefined;
req.login(user, function(err) {
if (err) {
res.status(400).send(err);
} else {
res.json(user);
}
});
}
})(req, res, next);
};
答案 2 :(得分:0)
我也有同样的痛苦,对我有用的解决方案类似于 FlavorScope。
我意识到 express-session 库正在服务器上创建一个 cookie,但它没有保存在本地 cookie 中。响应头会说 set-cookie 但没有保存。当我点击另一条路线,重新登录等时,它无法工作并且无法识别旧会话(因为客户端/浏览器没有发送一个大声笑)。这就是为什么它在每条路线上都进行了新的会话。这个问题似乎只能通过 1.) 在服务器上以某种方式设置 cookie,以及 2.) 在客户端/浏览器上以某种方式设置任何获取/发布请求来解决。
我在没有更改为 127.0.0.1 的情况下工作。本地主机对我来说工作正常。我还使用了 FETCH api,它专门用于设置标题的方式。这也适用于我的开发环境。我不得不将安全标志更改为 false。 Localhost 是 http 而不是 https,因此如果开发环境的安全标志为真,它就会中断。还有最后一件事,当您拥有凭据时:前端的“包含”您还需要使用特定域设置 cors(这里我使用我的本地主机),“*”通配符域不起作用。用我的话来说,我会说凭据:“包含”只是对浏览器说“嘿,如果我们从服务器取回一个,你可以保存这个 cookie”
服务器
app.use(cors({
origin: "http://localhost:3000",
credentials: true
}));
app.use(session({ name: "mySession",
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
cookie: {
httpOnly: true,
secure: false,
maxAge: 60000 * 60 * 24
},
store: new RedisStore({ client: redisClient })
}))
用于登录的客户端/浏览器以及获取请求的另一个示例
fetch(
"http://localhost:3001/login",
{
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
email: email,
password: password
}),
credentials : "include"
}
)获取请求示例,仍然需要凭据:“include”
<pre><code>
fetch(
"http://localhost:3001/accounts",
{
method: "GET",
headers: {"Content-Type": "application/json"},
credentials: "include"
}
)
</pre></code>