A cookie is a small piece of text stored on a user's computer by their browser. Common uses for cookies are authentication, storing of site preferences, shopping cart items, and server session identification.
Each time the users' web browser interacts with a web server it will pass the cookie information to the web server. Only the cookies stored by the browser that relate to the domain in the requested URL will be sent to the server. This means that cookies that relate to www.example.com will not be sent to www.exampledomain.com.
In essence, a cookie is a great way of linking one page to the next for a user's interaction with a web site or web application.
To store information that is not appropriate to store client-side, we use sessions. Lasso has built in session handling, and deals with the setting and retrieval of the cookie itself. It will automatically set and retrieve the session id, which is the only thing stored client-side.为什么要使用session
cookie将信息保存在客户端,如果不进行加密的话,无疑会暴露一些隐私信息,安全性很差,一般情况下敏感信息是经过加密后存储在cookie中,但很容易就会被窃取。而session只会将信息存储在服务端,如果存储在文件或数据库中,也有被窃取的可能,只是可能性比cookie小了太多。Session安全性方面比较突出的是存在会话劫持的问题,这是一种安全威胁,总体来讲,session的安全性要高于cookie。express框架之session 内存存储
express-session 是基于express框专门用于处理session的中间件。session的认证机制离不开cookie,需要同时使用cookieParser 中间件。
var express = require('express');var session = require('express-session');var cookieParser = require('cookie-parser');var app = express();app.use(cookieParser());app.use(session({ secret: '12345', name: 'testapp', //这里的name值得是cookie的name,默认cookie的name是:connect.sid cookie: {maxAge: 80000 }, //设置maxAge是80000ms,即80s后session和相应的cookie失效过期 resave: false, saveUninitialized: true,}));app.get('/awesome', function(req, res){ if(req.session.lastPage) { console.log('Last page was: ' + req.session.lastPage + "."); } req.session.lastPage = '/awesome'; //每一次访问时,session对象的lastPage会自动的保存或更新内存中的session中去。 res.send("You're Awesome. And the session expired time is: " + req.session.cookie.maxAge);});app.get('/radical', function(req, res){ if (req.session.lastPage) { console.log('Last page was: ' + req.session.lastPage + "."); } req.session.lastPage = '/radical'; res.send('What a radical visit! And the session expired time is: ' + req.session.cookie.maxAge);});app.get('/tubular', function(req, res){ if (req.session.lastPage){ console.log("Last page was: " + req.session.lastPage + "."); } req.session.lastPage = '/tubular'; res.send('Are you a suffer? And the session expired time is: ' + req.session.cookie.maxAge);});app.listen(5000);
Koa框架之session 内存存储
var session = require('koa-generic-session');var redisStore = require('koa-redis');var koa = require('koa');var app = new koa(); // for koa v1 use `var app = koa();`app.keys = ['keys', 'keykeys'];app.use(session({ store: redisStore()}));
cookie: session cookie settings, defaulting to
{ path: '/', httpOnly: true, maxAge: 24 * 60 * 60 * 1000 //one day in ms, rewrite: true, signed: true}
if you setcookie.maxAge to null, meaning no "expires" parameter is set so the cookie becomes a browser-session cookie. When the user closes the browser the cookie (and session) will be removed.
Notice that ttl is different from cookie.maxAge, ttl set the expire time of sessionStore. So if you set cookie.maxAge = null, and ttl=ms('1d'), the session will expired after one day, but the cookie will destroy when the user closes the browser. And mostly you can just ignore options.ttl, koa-generic-session will parse cookie.maxAge as the tll
Session Store
You can use any other store to replace the default MemoryStore, it just needs to follow this api:- get(sid): get session object by sid
- set(sid, sess, ttl): set session object for sid, with a ttl (in ms)
- destroy(sid): destroy session for sid
- api needs to return a Promise, Thunk or generator.
And use these events to report the store's status.
- connect
- disconnect
koa-redis works with koa-generic-session (a generic session middleware for koa).Events
- ready
- connect
- reconnecting
- error
- end
- warning