node.js - Invalidating all of a single user's sessions in express.js -

-

For security reasons we can invalidate all user active sessions, for example if they change their password, or Just want to be able to log out of your second session. We node Using the JS, Express, Express-session and Radisson session store. We have (coffee script) in our app: 

  App. Usage Express Cookie: MaxAge: 5 * 24 * 60 * 60 * 1000 # 5 Days in MS Store: New Radisson Store (Client: Rclient) Key: "Secret-Key"   
 Redis The data store that stores in the store works by mapping the unique session ID. For example:  
  # gets an HTTP request req.session.user = {_id: "user-id"}   
 in Redis:  
  & gt; "Get the cass: & lt; session-id & gt;" '' User '': {"_id": "user-id"}} '  
 We have a way to track all sessions that are consistent with each user ID, So that if we want to invalidate a user's session, then the following alerts may be removed from radis:  
     
  1.  gave the session to TCL as the maximum amount of cookies in Radisson To avoid tiger data, the tracking mechanism for each session is currently After should also be eliminated.  
  2.  All sessions will not be associated with any user Some people are used only to track details of anonymous sessions.   
     A simple approach to adding another reverse look up key to Radis (for example, the session ID set for the user to map the user_id for the user) fails this warning (1).  
     It feels like a problem that other sites using Express should face, because this is a very common security pattern, to track user sessions and then on demand Does anyone have any suggestions to invalidate them?  
     Thank you!   
     
     
     I used a custom session ID for this situation, in which the user in the key name ID is probably the easiest way to do this now, but basically what I had to do to set up a custom session ID:  
     main.js:  
     Requires the  var uid = ('UID'), redis = required ('redis'), session = (' Express-session '), RedisStore = requires (' connect- Radis' (session), session = session. Session, cookie = session cookie; Var utils = require ('./ utils'); Var COOKIE_SECRET = 'Some Random', COOKIE_KEY = 'mycustomsession'; Var redisClient = redis.createClient (), redisStore = New RedisStore ({client: redisClient, ttl: 24 * 60 * 60, // 1 day session ending prefix: 'assus:'}); // ... after the user has successfully authenticated inside the entry path ... req.sessionStore = redisstore; Req.sessionID = 'sess:' + user.id + ':' + UID (24); Req.session = New session (request); Req.session.cookie = New cookie ({}); Req.session.user = User; Utils.create Sessions (Rick, Race, KukiKKK, KukiSSCRET);   
     utils.js:  
      var needs OnHeaders = ('on-header'), signature = required ('cookie-signature' '); Export.create session = function (Rick, race, name, secret) {var trustProxy = true; // Heads (Race, Function) on Express-Session (if (Reiki Sausa) returns; var cookie = reset. Coco, protoose = (rake etc. ['x-forward-prototo'] || '') .split (',') [0] .toLowerCase (.) Trim (), tls = req.connection.encrypted || (trustProxy & amp; https; == proto); // Send securely via https (https) Cookie.acquire & amp; nbsp; tls); variable value = 's:' + signature.sign (req.sessionID, secret); res.cookie (name, val, cookie.data);}); // proxy end () session to earn end = res.end; Res.end = function (data, encoding) {res.end = end; If (! Req.Session) returns res.end (data, encoding); Req.session.resetMaxAge (); Req.session.save (function (err) {if (error) console.error (err.stack); res.end (data, encoding);}); }; };

Comments

Post a Comment

Popular posts from this blog

java - ImportError: No module named py4j.java_gateway -

-
I'm trying to call the Python using the Java program py4j . I've been installing the plug-in Eclipse and test name Piidvi project. I'm trying to execute the following part of the code found on py4j webpage: Import from py4j.java_gateway to JavaGateway, java_import gateway = JavaGateway () jvm = gateway.jvm java_import (jvm, '' Org.eclipse Kkorkrisorsej. * ") Vrkspes_rut = Jvankresourkesplginkgetvrkspas (). GetRoot (Gateway .help (workspace_root, '* Projects *') project_names = [project.getName () (for projects workpace_root.getProjects))] print (Projekt_nam) But I There is an error in import. I have checked that the P4JJ is present in the Jar Eclipse plugin directory. Can anyone help please? I had to install the py4j application
Read more

python - Receiving "KeyError" after decoding json result from url -

-
I am new to Python I am trying to parse JSON result from a URL. Basically, I was using the following: response = urllib.request.urlopen (url) json_obj = json.load (response) It should be a stroke "str 'not' bytes' in the lines of a given" JSON object, so after searching on the StackoverView Flo, I decode the response in this way: F = urllib.request.urlopen (Url) charset = f.info (). Get_param ('charset', 'utf8') data = f.read () decoded = json.loads (data.decode (charset)) If I print "decode" I is as follows: { 'link': { 'summary data': 'https: // localhost / piwebapi / streams / p0_7qHaW4UHU-RlCaz8tpasAAQAAAAU0hJTExNQU42NDIwXFNJTlVTT0lE / summary' 'value': 'https: // localhost / Piwebapi / streams / P0_7qHaW4UHU-RlCaz8tpasAAQAAAAU0hJTExNQU42NDIwXFNJTlVTT0lE / price ',' InterpolatedData ':' https: // localhost / Piwebapi / streams / P0_7qHaW4UHU-RlCaz8tpasAAQAAAAU0hJTE...
Read more

.net - Creating a new Queue Manager and Queue in Websphere MQ (using C#) -

-
"itemprop =" text "> I am writing applications that use WebSphere MQ to send messages. My unittests (for flow), I want to verify that I have put the correct message on the response queue. I am trying to figure out how to do this. My main obstacle is that I think it might be scary to clear the queue before running in my queue because the same queue can be used by other applications, I thought a decent solution would be a new line The manager will remove the queue for my solidarity and after using it. So my question is: Is it possible to use C # by using queue manager and queue? After the For future reference and future people, who want to make queues. I thought how to make and remove IBM MQ QE (not quenhers) with PCM messaging. It is not very simple, but it can be done. We have implemented it in a library and it is being used to create and delete commands before and after integration tests. The most important part of the code in this library is shown in the...
Read more