我正在使用 connect-mysql-session 将会话存储在数据库中。现在我的问题是如何添加包含浏览器代理和 IP 地址的用户数据来检查会话是否有效?我如何获得这些信息?我如何检查它是否匹配?
users.login(credentials,function(err, results) {
//On errors
if (err) {
res.render(routes.index, {
title: 'Login'
});
//On success
} else if (results[0]) {
//Set session data and redirect to start page
req.session.userdata = results[0];
req.session.userdata.email = req.body.email_login;
req.session.is_logged_in = true;
res.redirect('/start');
//Wrong credentials
} else {
req.flash('warning','Wrong password or login');
res.render('index', {
title: 'Login'
});
}
});
更新:
我现在将此添加到会话中:
req.session.ip = req.connection.remoteAddress;
req.session.useragent = req.headers['user-agent'];
并在我的身份验证中间件中检查它:
if(req.session.userdata && req.session.is_logged_in === true && req.session.ip === req.connection.remoteAddress && req.session.useragent === req.headers['user-agent']) {
next();
} else {
res.redirect('/');
}
这是安全的还是您认为这样做有任何风险?我应该换一种方式吗?