The current situation is that there is a cookie on the browser side, the name is config.session.key('myblog'), but its value will never change regardless of whether you are logged in or not, and if you are logged in, close the browser and try again When you open the page, you will still be in the "logged in" state. How is this implemented? The verification mechanism I personally understand should be to change the value of the cookie and send it to the server. After confirmation, the server returns logged in. Please dalao clarify
index.js
app.use(session({
name:config.session.key,//设置cookie中保存session id的字段名称
secret:config.session.secret,//通过设置 secret 来计算 hash 值并放在 cookie 中,使产生的 signedCookie 防篡改
resave:false,//
saveUninitialized:false,//设置为 false,强制创建一个 session,即使用户未登录
cookie:{
maxAge:config.session.maxAge,//过期时间
},
store:new MongoStore({//将session存储到mongodb
url:config.mongodb//mongodb地址
})
}));
signin.js user login
router.post('/', checkNotLogin, function(req, res, next) {
var name = req.fields.name,
password = req.fields.password;
UserModel.getUserByName(name)
.then(function(user){
if(!user){
req.flash('error','用户不存在');
return res.redirect('back');
}
// 密码是否匹配
if(sha1(password)!==user.password){
req.flash('error','密码错误');
return res.redirect('back')
}
req.flash('success','登录成功');
delete user.password;
req.session.user = user;
res.redirect('/posts');
})
.catch(next);
});
The value of the cookie is not changed. req.session is stored on the server side.