Javascript Expressjs没有';t销毁会话
我有一个主干视图,它向服务器发送Ajax调用以删除会话 在服务器上触发以下事件:Javascript Expressjs没有';t销毁会话,javascript,node.js,session,express,Javascript,Node.js,Session,Express,我有一个主干视图,它向服务器发送Ajax调用以删除会话 在服务器上触发以下事件: app.delete('/session', function(req, res) { if (req.session) { req.session.destroy(function() { res.clearCookie('connect.sid', { path: '/' }); res.send('removed session', 20
app.delete('/session', function(req, res) {
if (req.session) {
req.session.destroy(function() {
res.clearCookie('connect.sid', { path: '/' });
res.send('removed session', 200);
});
} else {
res.send('no session assigned', 500);
}
});
奇怪的是,我可以多次按下注销按钮而不会得到HTTP 500错误代码。铬还告诉我饼干仍然存在
出什么事了
问候
编辑:
我发现这不是直接的会话问题,而是cookie问题。
我将res.clearCookie添加到路由中。不幸的是,行为(cookie、会话保持活动)没有改变
EDIT2:
我现在给res.clearCookie一些参数=>res.clearCookie('connect.sid',{path:'/'});
现在至少浏览器中的cookie不见了。但会议似乎仍然可以进行。
或者至少我可以调用注销路由,我希望req.session应该为false
EDIT3:
我现在从redis中删除了所有会话,并重新启动了所有内容(redis、节点、浏览器)。
然后我再次登录并注销。到目前为止,这是有效的,但是当我用F5重新链接页面时,我得到了一个新的会话。为什么?为了集中所有评论,我写了一个答案: 因为express总是为客户端创建会话和cookie,所以我们必须采取不同的方法,而不仅仅是检查是否存在会话 此部件处理登录
app.post('/session', function(req, res) {
User.findOne({ username: req.body.username })
.select('salt') // my mongoose schema doesn't fetches salt
.select('password') // and password by default
.exec(function(err, user) {
if (err || user === null) throw err; // awful error handling here
// mongoose schema methods which checks if the sent credentials
// are equal to the hashed password (allows callback)
user.hasEqualPassword(req.body.password, function(hasEqualPassword) {
if (hasEqualPassword) {
// if the password matches we do this:
req.session.authenticated = true; // flag the session, all logged-in check now check if authenticated is true (this is required for the secured-area-check-middleware)
req.session.user = user; // this is optionally. I have done this because I want to have the user credentials available
// another benefit of storing the user instance in the session is
// that we can gain from the speed of redis. If the user logs out we would have to save the user instance in the session (didn't tried this)
res.send(200); // sent the client that everything gone ok
} else {
res.send("wrong password", 500); // tells the client that the password was wrong (on production sys you want to hide what gone wronge)
}
});
});
});
这是登录部分,请转到注销:
app.delete('/session', function(req, res) {
// here is our security check
// if you use a isAuthenticated-middleware you could make this shorter
if (req.session.authenticated) {
// this destroys the current session (not really necessary because you get a new one
req.session.destroy(function() {
// if you don't want destroy the whole session, because you anyway get a new one you also could just change the flags and remove the private informations
// req.session.user.save(callback(err, user)) // didn't checked this
//delete req.session.user; // remove credentials
//req.session.authenticated = false; // set flag
//res.clearCookie('connect.sid', { path: '/' }); // see comments above res.send('removed session', 200); // tell the client everything went well
});
} else {
res.send('cant remove public session', 500); // public sessions don't containt sensible information so we leave them
}
});
希望这有助于如果您执行
delete req.session,会发生什么代码>这不会影响会话,至少不会影响下一个请求,因为您只是在本地删除变量,而不是redis键。req.session.destroy也会删除此项。但是查看更新您不必清除cookie,connect将在不存在cookie的情况下为您提供一个新会话,也许这就是您所感知的同一会话?@kyogron只是一个简单的标志,如authenticated:true
@niconic