我是 nodejs/mongo 的新手,所以我最终推出了自己的会话中间件,因为我不知道express-session-mongo。
在我的中间件中,我将用户 ID 存储在会话中(通过 express 的会话中间件),然后在每个请求上加载登录的用户对象。我还允许用户将他们的用户/通行证存储在 httpOnly cookie 中以实现“记住我”功能。
该 npm 的文档页面有一些不足之处。
我的问题是:该模块与我写的相比有什么优势?我在做傻事吗?他们做的比我做的好在哪里?
问问题
384 次
1 回答
1
Your technique is highly insecure. If I just need to know the ID of a user record in your database, and I can use that in my session cookie to become any arbitrary user, that's a massive vulnerability. Session IDs should be pseudorandom tokens that in and of themselves do not contain any data. They are just unguessable numbers used to look up data on the server side. They should also be unique for each session across time, which a user ID is not.
于 2012-12-26T19:15:04.173 回答