function unsigncookie(val, secrets) { for (var i = 0; i < secrets.length; i++) { var result = signature.unsign(val, secrets[i]); if (result !== false) { return result; } } return false; }
这里是通过cookie-signature进行的解密操作
// var cookieId = req.sessionID = getcookie(req, name, secrets); function getcookie(req, name, secrets) { var header = req.headers.cookie; var raw; var val; // read from cookie header if (header) { var cookies = cookie.parse(header); raw = cookies[name]; if (raw) { if (raw.substr(0, 2) === 's:') { //切割掉前面的字符"s:"! val = unsigncookie(raw.slice(2), secrets); //val表示false意味着客户端传递过来的cookie被篡改了! if (val === false) { debug('cookie signature invalid'); val = undefined; } } else { debug('cookie unsigned') } } } // back-compat read from cookieParser() signedCookies data //如果从req.headers.cookie中没有读取到session ID的数据,那么就去cookie parser的req.signedCookies中读取 if (!val && req.signedCookies) { val = req.signedCookies[name]; if (val) { deprecate('cookie should be available in req.headers.cookie'); } } // back-compat read from cookieParser() cookies data //如果req.signedCookies中也没有获取到数据那么直接从req.cookies中获取 if (!val && req.cookies) { raw = req.cookies[name]; if (raw) { if (raw.substr(0, 2) === 's:') { val = unsigncookie(raw.slice(2), secrets); if (val) { deprecate('cookie should be available in req.headers.cookie'); } if (val === false) { debug('cookie signature invalid'); val = undefined; } } else { debug('cookie unsigned') } } } return val; }
通过这里我们很容易看到对于session ID的获取就是通过上面的secret进行签名的,如果获取到的sessionID已经被修改过,那么表示这个session已经无效了。首先是从req.headers.cookie中获取,然后从req.signedCookies中获取,最后从req.cookies中进行获取!
(2)cookie字段有什么用的?
var Session = require('./session/session') , MemoryStore = require('./session/memory') , Cookie = require('./session/cookie') , Store = require('./session/store') var cookieOptions = options.cookie || {}; function generateSessionId(sess) { return uid(24); } // generates the new session store.generate = function(req){ req.sessionID = generateId(req);//产生一个sessionID req.session = new Session(req);//产生一个Session req.session.cookie = new Cookie(cookieOptions);//在req.session对象的cookie域下面保存的是一个Cookie对象 if (cookieOptions.secure === 'auto') { req.session.cookie.secure = issecure(req, trustProxy); } };
我们看看cookie字段在哪里被处理了:
var Cookie = module.exports = function Cookie(options) { this.path = 'https://www.jb51.net/'; this.maxAge = null; this.httpOnly = true; //最终的this就是这个新创建的Cookie具有这些默认的属性,同时还具有用户自己传入的options参数,如用户传入的var cookieOptions = options.cookie || {}; //也就是用户传入的options.cookie属性 if (options) merge(this, options); /*这个utils.merge的源码只有一句话: exports = module.exports = function(a, b){ if (a && b) { for (var key in b) { a[key] = b[key]; } } return a; };*/ this.originalMaxAge = undefined == this.originalMaxAge ? this.maxAge : this.originalMaxAge; //默认的originalMaxAge就是this.maxAge也就是null,如果指定了originalMaxAge那么就是用户指定的值 };
也就是说我们在session中传入的cookie参数也成为新创建的cookie的一个属性了,而且这个这个新创建的cookie被保存到req.session.cookie下。