Detailed description of the use of client sessions in Node. js programming, node. jssession
Static websites are easy to expand. You only need to cache all the data and do not need to consider combining stateful content from different servers to users.
Unfortunately, most Web applications use stateful content to provide personalized experiences. If your application can log on, remember your Session. The classic solution is to set a Cookie containing a random and unique Session ID on the client and save the identified Session data to the server.
Scaling stateful services
When you scale a service, you must have three options:
- Synchronize Session data from different servers
- Connect different servers to the Single Point Center (get Session)
- Ensure that users access the same server
But they all have defects:
- Performance overhead added for synchronizing data
- Single Point center reduces system scalability
- What if the last accessed server needs maintenance?
However, if you think about it from another perspective, you will find the fourth option: Save Session data on the client.
Client Session
Saving sessions on the client has the following advantages:
- It doesn't matter which server, and the Session data is valid.
- No need to maintain the server status
- No server synchronization required
- Add any new server
However, the client Session has a serious problem: You cannot ensure that the user does not tamper with the Session data.
For example, you save the user ID in the Cookie. Users can easily modify it to access others' accounts.
This seems to deny the possibility of the Client Session, but there is a way to cleverly solve this problem: encrypt and package Session data (still in cookies ). In this way, you do not need to worry about modifying Session data. The server will verify the data.
In practice, an encrypted Server Key is saved in the Cookie. Server Key verification before you have the right to read and modify Session data. This is the Client Session.
Node Client Session
Node. JS has a library to implement client Session: node-client-session. It can replace the session and cookieParser middleware built in Connect (a Node Middleware Framework.
Use in Express framework applications:
const clientSessions = require("client-sessions");
App. use (clientSessions ({secret: '0gbljz9ekbt2zbismuth flrpvztczcewbxxk '// you can specify a random length string! })
Then, add attributes to the req. session object:
app.get('/login', function (req, res){ req.session.username = 'JohnDoe'; });
Read attributes:
app.get('/', function (req, res){ res.send('Welcome ' + req.session.username); });
Use the reset method to terminate a Session:
app.get('/logout', function (req, res) { req.session.reset(); });
Instantly deregister the Persona Session
(Note: Persona is a network identity system launched by Mozzilla)
Unlike the server Session, the client Session cannot be deleted by the server.
You can delete Session data in the server architecture. The Session identified by any client Cookie may not exist. However, in the client architecture, Session data is not on the server and cannot be deleted from each client. In other words, the user's client status (logged on) and server status (logged off) cannot be synchronized ).
To make up for this defect, the expiration time is added to the Client Session. Verify the expiration time before expanding Session data (encrypted package. If it expires, discard the Session data and change the user status (for example, log out ).
The expiration mechanism works well in many applications (especially for short expiration time requirements ). For example, in Persona, when a user finds that the password has been threatened or damaged, we need to provide a method for the user to immediately cancel Session data.
This means that a little bit of status information needs to be retained at the backend of the service. The method for Processing Instant logout is to add a Token to the user data table and Session data.
Each API call compares the tokens in the Session data with the tokens in the database. If they are different, the system returns an error message and exits the user.
In this way, additional database operations are appended to query tokens. Fortunately, most API calls need to read the user data table and put the Token together.