What is session?
Session is a session saved on the server side. The typical application scenario of session is that after a user logs on to a website, he puts his login information into session, and inquires the corresponding login information in each subsequent request to ensure that the user is legitimate. Classic scenes such as shopping carts
Why use session
Talking about session s is usually in the context of web applications, we know that web applications are based on HTTP protocol, and HTTP protocol is just a stateless protocol. That is to say, a user jumping from page A to page B will send an HTTP request again, and the server can not know what the user did before requesting page B when returning the response.
It is this dynamic demand of web that poses a difficult problem for HTTP protocol: how can a stateless protocol associate two consecutive requests? That is to say, how can stateless protocols satisfy stateful requirements?
At this point, statefulness is an inevitable trend, and statelessness of protocols is a dead end. So we need some solutions to solve this contradiction to maintain HTTP connection status, so cookie s and session s appear.
The relationship between session and cookie
The above mentioned solutions to HTTP protocol statelessness are cookie and session. Both can record state, the former is to save state data in the client, the latter is to save in the server.
Security
Cookies store information in the client, if not encrypted, it will undoubtedly expose some privacy information, security is poor. Generally, sensitive information is stored in cookies after encryption, but it is easy to be stolen. session only stores information on the server side. If it is stored in a file or database, it is also possible to be stolen, but the possibility is much smaller than cookie.
Session security is more prominent in the presence of session hijacking, which is a security threat. Generally speaking, session security is higher than cookie.
session memory storage in express framework
express-session is a middleware based on the express box, which is specially used to process sessions. The authentication mechanism of session can not be separated from cookie, which requires the use of cookie Parser middleware at the same time.
var express = require('express'); var session = require('express-session'); var cookieParser = require('cookie-parser'); var app = express(); app.use(cookieParser()); app.use(session({ secret: '12345', name: 'testapp', //The name here is worth cookie's name, and the default cookie's name is: connect.sid cookie: {maxAge: 80000 }, //Setting maxAge is 80000ms, that is, session and corresponding cookie expire after 80s resave: false, saveUninitialized: true, })); app.get('/awesome', function(req, res){ if(req.session.lastPage) { console.log('Last page was: ' + req.session.lastPage + "."); } req.session.lastPage = '/awesome'; //Each time a session object is accessed, the lastPage automatically saves or updates sessions in memory. res.send("You're Awesome. And the session expired time is: " + req.session.cookie.maxAge); }); app.get('/radical', function(req, res){ if (req.session.lastPage) { console.log('Last page was: ' + req.session.lastPage + "."); } req.session.lastPage = '/radical'; res.send('What a radical visit! And the session expired time is: ' + req.session.cookie.maxAge); }); app.get('/tubular', function(req, res){ if (req.session.lastPage){ console.log("Last page was: " + req.session.lastPage + "."); } req.session.lastPage = '/tubular'; res.send('Are you a suffer? And the session expired time is: ' + req.session.cookie.maxAge); }); app.listen(5000);
Once we mount express-session middleware with use, we can easily store and access session object data through req parameters. req.session is a JavaScript object in JSON format. We can add members freely in the process of using it. These members are automatically saved to the location specified by the option parameter, which is in memory by default.