为什么socket.io用不同的路径创建第二个'sid'cookie?
Mat*_*ins 4 cookies session node.js express socket.io
我正在推动一个项目,我发誓此前这不是问题,但显然现在不是 - 我可能做了一些愚蠢的事情.我看到express&socket.io创建两个不同的"sid"cookie,一个路径为"/",另一个路径为"/socket.io".我期待的行为是在我的express app和socket.io之间共享相同的cookie/session.
"sid"cookie为"/":
"/socket.io"的"sid"cookie:
我正在设置快递:
var config = require('config');
var express = require('express');
var cookieParser = require('cookie-parser');
var session = require('express-session');
var sessionStore = require('./session-store');
var sessionConfig = {
store : sessionStore,
secret : config.server.sessionSecret,
key : config.server.sessionKey,
saveUninitialized : true,
resave : true,
cookie : { secure: config.server.useHTTPS }
};
module.exports = function (app) {
app.use(cookieParser(config.server.sessionSecret));
app.use(session(sessionConfig));
};
我正在通过以下方式设置socket.io:
var config = require('config');
var redis = require('socket.io-redis')(config.redis.socket);
var cookieParser = require('socket.io-cookie-parser');
var sessionStore = require('./session-store');
module.exports = function (io) {
io.adapter(redis);
io.use(cookieParser(config.server.sessionSecret));
io.use(authorization);
};
function authorization (socket, next) {
var unauthorized = new Error('Unauthorized');
if (!socket.request.headers.cookie) {
return next(unauthorized);
}
var sessionKey = socket.server.engine.cookie;
var sessionId = socket.request.signedCookies[sessionKey] || socket.request.cookies[sessionKey];
if (!sessionId) {
return next(unauthorized);
}
sessionStore.get(sessionId, function (err, session) {
// use session's userId to fetch user & attach to socket
});
}
这两个文件从我的主服务器文件绑定在一起:
var http = require('http');
var express = require('express');
var socketio = require('socket.io');
var config = require('config');
var app = express();
var server = http.Server(app);
var io = socketio(server, {
cookie: config.server.sessionKey
});
// initialize aspects of the app
require('./config/initializers/io')(io);
require('./config/initializers/express')(app);
module.exports = server;
好的,我想我解决了.cookie在我的服务器上安装socket.io结束时看起来提供选项,导致engine.io根据这些代码行设置一个具有相同名称的cookie :
if (false !== this.cookie) {
transport.on('headers', function(headers){
headers['Set-Cookie'] = self.cookie + '=' + id;
});
}
根据RFC-2109 HTTP状态管理机制,默认路径是当前URL路径:
Run Code Online (Sandbox Code Playgroud)Path Defaults to the path of the request URL that generated the Set-Cookie response, up to, but not including, the right-most /.
这可以解释因为socket.io的端点/socket.io默认是创建的新cookie .由于我正在使用自定义授权来读取cookie,我认为通过将socket实例化更改为以下内容来禁用engine.io中的cookie是安全的:
var io = socketio(server, {
cookie: false
});
这现在打破authorization了原始问题中包含的功能,特别是这一行:
var sessionKey = socket.server.engine.cookie;
由于我不再将cookie密钥传递给socket.io/engine.io,我需要直接从我的配置中读取:
var sessionKey = config.server.sessionKey;
| 归档时间: |
|
| 查看次数: |
3208 次 |
| 最近记录: |