So where does the serialised user object is stored?

那么序列化的用户对象存储在哪里呢？

In Short

简而言之

The serialized user object is stored in req.userby PassportJStaken from req.session.passport.user(which is is populated by Express) with the help of Passport'sdeserializeUsermethod.

序列化的用户对象在方法的帮助下req.user通过PassportJStake from req.session.passport.user（由 填充Express）存储Passport'sdeserializeUser。

Expressadds the id of the session object into a cookie on user's browser, which is sent back to express in a header on every request. Expressthen takes the id from the header and search the session store (i.e. Mongo or whatever) and find the entry and load it to req.session.

Express将会话对象的 id 添加到用户浏览器上的 cookie 中，该 cookie 被发送回以在每个请求的标头中表达。Express然后从标题中获取 id 并搜索会话存储（即 Mongo 或其他）并找到条目并将其加载到req.session.

PassportJSuses the content of req.sessionto keep track of the authenticated user with the help of serializeUserand deserializeUsermethods (for more information on workflow of serializeUserand deserializeUsersee my answer in this SO question).

PassportJS使用 的内容在和方法req.session的帮助下跟踪经过身份验证的用户（有关工作流程的更多信息，请参阅我在此 SO问题中的回答）。serializeUserdeserializeUserserializeUserdeserializeUser

Expressis responsible for creating the session. when does the sessions gets created?That is when Expressdo not detect a session cookie. So the order in which you organize your sessionand passportconfigs in your appor server.jsfile is very important. If you declare your sessionand passportconfigs above static directory configsthen all requests for static contentwill also get a session, which is not good.

Express负责创建会话。会话何时创建？那是什么Express时候不检测会话cookie。因此，您在或文件中组织session和passport配置的顺序非常重要。如果您在上面声明您的和配置，那么所有请求也将获得一个会话，这并不好。appserver.jssessionpassportstatic directory configsstatic content

See my answer to this SO question, where I have mentioned about static content access as well as how to selectively apply passportto certain routes, rather than default (you might not need to authenticate all the routes - hence you could avoid unnecessary session store lookupand de-serializationby attaching session only to requests that map to secure URLS see below).

请参阅我对这个 SO问题的回答，其中我提到了静态内容访问以及如何有选择地应用于passport某些路由，而不是默认路由（您可能不需要对所有路由进行身份验证 - 因此您可以避免不必要的session store lookup并de-serialization通过附加会话仅适用于映射到安全 URL 的请求，请参见下文）。

//selectively applying passport to only secure urls
app.use(function(req, res, next){
  if(req.url.match('/xxxx/secure'))
    passport.session()(req, res, next)
  else
    next(); // do not invoke passport
});

There is one amazing tutorialthat I highly recommend you to read up if you want to understand the workflow of PassportJS.

如果您想了解 PassportJS 的工作流程，我强烈建议您阅读一个很棒的教程。

You can look at the sessionIDin the cookie as a key to a database where the session data is stored. Depending on what session handler you use with express, and what storage policy you use the data will be stored in different ways. This means that the sessionID can be the same value both before login, after a successful login, and even after a user logs out.

您可以sessionID将 cookie 中的 视为存储会话数据的数据库的键。根据您使用 express 的会话处理程序以及您使用的存储策略，数据将以不同的方式存储。这意味着 sessionID 在登录前、成功登录后甚至用户注销后都可以是相同的值。

If you use express-sessionwith MemoryStorethe data will be saved in the memory of the node process, indexed on the sessionID. Look here for initializationof the store and here for storingof the data.

如果您使用的表达会话与MemoryStore该数据将被保存在节点进程的内存，索引上的SessionID。在此处查看商店的初始化，在此处查看数据的存储。

You could create a store where the data is serialized to the cookie, but none such are listed in the compatible session stores.

您可以创建一个将数据序列化为 cookie 的存储，但在兼容的会话存储中未列出此类存储。