English 中文(简体)
NOdejs Expressjs 会话 Pip 和浏览器代理器匹配
原标题:Nodejs Expressjs session ip and browser agent match

我正在使用连接- Mysql-session 将会话存储在 db 中。 现在,我的问题是, 我如何添加包含浏览器代理和 ip- address 的用户数据来检查会话是否有效? 我如何获取该信息? 我如何检查它是否匹配?

    users.login(credentials,function(err, results) {

  //On errors
  if (err) {
    res.render(routes.index, {
      title:  Login 
    });

  //On success
  } else if (results[0]) {
    //Set session data and redirect to start page
    req.session.userdata = results[0];
    req.session.userdata.email = req.body.email_login;
    req.session.is_logged_in = true;
    res.redirect( /start );

  //Wrong credentials
  } else {
    req.flash( warning , Wrong password or login );
    res.render( index , {
      title:  Login 
    });
  }
});

<强> 更新:

现在我又把这个加到会议里了:

req.session.ip = req.connection.remoteAddress;
req.session.useragent = req.headers[ user-agent ];

并检查它在我的经认证的中间器械:

  if(req.session.userdata && req.session.is_logged_in === true && req.session.ip === req.connection.remoteAddress && req.session.useragent === req.headers[ user-agent ]) {
    next();
  } else {
    res.redirect( / );
  }

这是安全的,还是你看到 任何风险与此吗?

最佳回答

你的执行看起来不错, 并且会给你一些,非常基本的 保护,以免被劫持。

然而,我不知道我是否理解您的中继软件。 为什么用户无法直接请求 < code>/ start ? 更重要的是, 当中继软件拦截所有请求时, 即使是对 < code>/ start 的请求, 这看起来难道不像是无限的重定向环吗?

我的建议只是考虑在IP或用户代理器不匹配时,任何时候都登出一个用户登录。

时间:2012-05-25 15:39:03
问题回答

暂无回答


上一篇:
下一篇:


相关问题
SQL SubQuery getting particular column

I noticed that there were some threads with similar questions, and I did look through them but did not really get a convincing answer. Here s my question: The subquery below returns a Table with 3 ...

时间:2009-11-13 05:35:38 回答:3 展示:1
please can anyone check this while loop and if condition

<?php $con=mysql_connect("localhost","mts","mts"); if(!con) { die( unable to connect . mysql_error()); } mysql_select_db("mts",$con); /* date_default_timezone_set ("Asia/Calcutta"); $date = ...

时间:2009-11-13 05:25:03 回答:3 展示:1
php return a specific row from query

Is it possible in php to return a specific row of data from a mysql query? None of the fetch statements that I ve found return a 2 dimensional array to access specific rows. I want to be able to ...

时间:2009-11-09 16:40:04 回答:2 展示:1
Character Encodings in PHP and MySQL

Our website was developed with a meta tag set to... <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> This works fine for M-dashes and special quotes, etc. However, I ...

时间:2009-11-09 16:15:32 回答:3 展示:1
Pagination Strategies for Complex (slow) Datasets

What are some of the strategies being used for pagination of data sets that involve complex queries? count(*) takes ~1.5 sec so we don t want to hit the DB for every page view. Currently there are ~...

时间:2009-11-09 16:02:04 回答:5 展示:1
Averaging a total in mySQL

My table looks like person_id | car_id | miles ------------------------------ 1 | 1 | 100 1 | 2 | 200 2 | 3 | 1000 2 | 4 | 500 I need to ...

时间:2009-11-09 14:43:41 回答:4 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全