7

我有一个主干视图,它向服务器发送 Ajax 调用以删除会话。

在服务器上触发以下事件:

app.delete('/session', function(req, res) {
    if (req.session) {
        req.session.destroy(function() {
            res.clearCookie('connect.sid', { path: '/' });
            res.send('removed session', 200);
        });
    } else {
        res.send('no session assigned', 500);
    }
});

奇怪的是,我可以多次按下注销按钮而不会收到 HTTP 500 错误代码。铬也向我展示了一个 cookie 仍然存在。

出了什么问题?

问候

编辑

我发现这不是直接的会话问题,而是 cookie 问题。我在路由中添加了 res.clearCookie。不幸的是行为(cookie,会话保持活动)没有改变

EDIT2:我现在给 res.clearCookie 一些参数 => res.clearCookie('connect.sid', { path: '/' }); 现在至少cookie在浏览器中消失了。但是会话似乎仍然可用。或者至少我可以调用注销路由我想要的频率,甚至 req.session 应该是假的

EDIT3: 我现在从 redis 中删除了所有会话并重新启动了所有内容(redis、节点、浏览器)。比我再次登录并注销。到目前为止这有效,但是当我用 F5 重新加载页面时,我得到了一个新会话。为什么?

4

1 回答 1

6

为了将所有评论集中在一起,我写了一个答案:

因为 express 总是为客户端创建会话和 cookie,所以我们必须采取不同的方法,而不仅仅是检查是否存在会话。

这部分处理登录

app.post('/session', function(req, res) {
    User.findOne({ username: req.body.username })
        .select('salt') // my mongoose schema doesn't fetches salt
        .select('password') // and password by default
        .exec(function(err, user) {
            if (err || user === null) throw err; // awful error handling here
            // mongoose schema methods which checks if the sent credentials
            // are equal to the hashed password (allows callback)
            user.hasEqualPassword(req.body.password, function(hasEqualPassword) {
                if (hasEqualPassword) {
                    // if the password matches we do this:
                    req.session.authenticated = true; // flag the session, all logged-in check now check if authenticated is true (this is required for the secured-area-check-middleware)
                    req.session.user = user; // this is optionally. I have done this because I want to have the user credentials available
                    // another benefit of storing the user instance in the session is
                    // that we can gain from the speed of redis. If the user logs out we would have to save the user instance in the session (didn't tried this)
                    res.send(200); // sent the client that everything gone ok
                } else {
                    res.send("wrong password", 500); // tells the client that the password was wrong (on production sys you want to hide what gone wronge)
                }
            });
        });
});

那是登录部分,让我们去注销:

app.delete('/session', function(req, res) {
    // here is our security check
    // if you use a isAuthenticated-middleware you could make this shorter
    if (req.session.authenticated) {
        // this destroys the current session (not really necessary because you get a new one
        req.session.destroy(function() {
            // if you don't want destroy the whole session, because you anyway get a new one you also could just change the flags and remove the private informations
            // req.session.user.save(callback(err, user)) // didn't checked this
            //delete req.session.user;  // remove credentials
            //req.session.authenticated = false; // set flag
            //res.clearCookie('connect.sid', { path: '/' }); // see comments above                res.send('removed session', 200); // tell the client everything went well
        });
    } else {
        res.send('cant remove public session', 500); // public sessions don't containt sensible information so we leave them
    }
});

希望这可以帮助

于 2012-07-20T15:47:51.587 回答