英文:
Do we actually need sessions in node.js or we can store users data in global variable based on user's ip?
问题
我之前一直在PHP中使用会话,现在切换到了一个持续运行的NODE.JS服务器(不同于PHP)。所以我不确定在node.js中是否真的需要会话来存储用户的数据。
我可以创建一个简单的基于IP的全局用户存储变量,并在这里存储任何用户的数据。以下是一个示例:
import Express from "express";
import sessions from "express-session";
class HttpServer {
app; users = [];
constructor() {
this.init ();
}
init () {
this.app = new Express();
/*
this.#app.use(sessions({
secret: 'Secret word',
resave: false,
saveUninitialized: true,
cookie: { secure: false , maxAge: 60 * 60 * 24 * 1000}
}
))
*/
this.app.use((req, res, next) => {
this.checkUser (req, res);
next();
})
this.app.listen(8080);
}
checkUser (req, res, next) {
let user = this.getUserByIp (req.ip);
if (! user) { // Add new user
this.users.push ({ip: req.ip, isLogged: false});
}
}
getUserByIp (ip) {
for (let i=0; i < this.users.length; i++) {
if (this.users[i].ip === ip) {
return this.users[i];
}
}
return false;
}
authorizeUser (ip) {
let user = this.getUserByIp (ip);
if (user) {
user.isLogged = true;
}
}
}
<details>
<summary>英文:</summary>
I was always using sessions in PHP and now switched no NODE.JS server which is running constantly (unlike PHP). So I'm not sure if I really need sessions in node.js to store user's data.
I can make a simple IP-based global user's storage variable and store any user's data here. Here is an example:
import Express from "express";
import sessions from "express-session";
class HttpServer {
app; users = [];
constructor() {
this.init ();
}
init () {
this.app = new Express();
/*
this.#app.use(sessions({
secret: 'Secret word',
resave: false,
saveUninitialized: true,
cookie: { secure: false , maxAge: 60 * 60 * 24 * 1000}
}
))
*/
this.app.use((req, res, next) => {
this.checkUser (req, res);
next();
})
this.app.listen(8080);
}
checkUser (req, res, next) {
let user = this.getUserByIp (req.ip);
if (! user) { // Add new user
this.users.push ({ip: req.ip, isLogged: false});
}
}
getUserByIp (ip) {
for (let i=0; i < this.users.length; i++) {
if (this.users[i].ip === ip) {
return this.users[i];
}
}
return false;
}
authorizeUser (ip) {
let user = this.getUserByIp (ip);
if (user) {
user.isLogged = true;
}
}
}
</details>
# 答案1
**得分**: 2
会话只是一个由Cookie ID索引的内存片段(或数据库记录)。您提出的是由IP地址索引的内存片段。
IP地址的问题在于许多人可能通过相同的IP地址进行代理(多个家庭用户,星巴克的多个WiFi用户,或者通过企业代理连接的企业用户),这可能会混淆用户之间的凭据,这是灾难性的。
不要依赖于每个用户都具有唯一的IP地址。事实并非如此。我在家连接时,我儿子、妻子和我自己都似乎来自相同的IP地址。
在星巴克使用WiFi的多人可能都似乎来自相同的IP地址。
移动用户可能会在移动网络中四处移动,IP地址会更改(因此每次IP地址更改时都会丢失其会话信息),然后其他人会重复使用您的旧IP地址。
使用VPN的人将具有不确定的IP地址,这不一定会保持对于该计算机而言是相同的,而这些IP地址将与使用相同VPN服务并连接到相同VPN服务器的许多其他用户共享。
有很多很好的理由,会话基于Cookie中的加密ID。
<details>
<summary>英文:</summary>
A session is just a piece of memory (or database record) indexed by a cookie ID. You are proposing a piece of memory indexed by an IP address.
The problem with an IP address is that many people may be proxied through the same IP address (multiple home users, multiple WiFi users at a Starbucks or corporate users who connect via a corporate proxy) which can then mix up credentials between users which is disastrous.
Do NOT rely on every user having a unique IP address. It just isn't so. My son, wife and myself when connecting from home all appear to come from the same IP address.
Multiple people using WiFi at a Starbucks may all appear to be coming from the same IP address.
A mobile user may have a changing IP address as they move around in the mobile network (thus losing their session info every time the IP address changes) and then someone else reuses your old IP address.
People using VPNs will have who-knows-what IP address that will not necessarily remain the same for that computer and those IP addresses will be shared with many other users also using the same VPN service and connecting to the same VPN servers.
-------------
There are very good reasons that sessions are based off an encrypted ID in a cookie.
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论