Thoughts on KOA Session

What is session?

Google themselves.Copy the code
Google themselves.Copy the code
Google themselves.Copy the code

How do you identify which user logged in?

When a user logs in to the system, the system generates a cookie. When the browser receives the HTTP response, the cookie value is saved on the client. Each request of the user will bring the cookie information to the server, and the server will get the information in the session after obtaining the value of the cookie (different voice will have different parsing methods, the principle is the same), so as to know which user it is. Is it not safe to lose a cookie? No discussion here. Google.

The session storage

  • File preservation
  • Database save

Session File storage

Generally, session information is stored in files of the operating system, which are stored in different languages in different forms and structures. - Advantages: Simple to use, suitable for small websites, fast to read - Disadvantages: unsafe (relatively) After a long time, many session files are not suitable for large websites.Copy the code

Session database save

Today’s servers are typically load balanced and services are split horizontally and vertically. So session persistence is an issue that needs to be considered. Session persistence is basically keeping the session somewhere on the network. So when users log in to a system, they can correctly identify which users are very sophisticated technology. So there is a solution to session persistence.

The solution to session persistence is to store sessions in databases: memcache, Redis, mysql, mongodb… Since memcache can’t actually persist, sessions can be lost if the server fails. So you don’t usually consider this option.

So these above is to save where it is good, but also need to consider their own business. Google.

Thoughts on KOA Session

Too much, but back to the point, koA has a lot of session solutions,

There are many persistence schemes, but there seems to be the same problem that the user needs to clear the token information saved in the session after exiting.

You might think that setting session = {} would destroy the session, but this is not the case. The user can also log in to the available route again. Why? The reason is because of the cookie, the server will look for the session information in the database after getting the cookie information, and the result is got, so the session information you set earlier is returned. So the session still gets the original information.

You might think that since cookies are at work, you can set the cookie information to expire. This solution works, but there is a certain problem: users can change the expiration time of cookies. That, too, is problematic.

Ps: The above is the thinking of KOA Session. If there is anything wrong, please fill it in the message.

The solution

Based on the above problem, my solution is to delete the session information in the database after the user logs out. Unfortunately, the session persistence solution shown above is not provided. (In fact, such a situation is not terrible, terrible is no ideas and solutions).

Koa session persistence is typically implemented using the KOA-Session middleware. It provides the store argument, so we just need to implement this method.

You can refer to my blog: FM126.xyz /2017/12/12/…

There needs to be a destory method in the store implementation method, which is provided for koA-session. So we can also do it this way. So you can call this method when the session is destroyed.

Ps: It feels like the Session middleware in Express is fine.

WeChat pay

Alipay

  • Author: Yang Yulong
  • Links to this article: Fm126. Xyz / 2017/12/27 /…
  • Copyright Notice: All articles on this blog are licensed under a CC BY-NC-SA 3.0 license unless otherwise stated. Reprint please indicate the source!