node.js 会话的“秘密”选项是什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5343131/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is the session's "secret" option?
提问by Harry
I don't know anything about cryptography. I'm wondering what the session secret is.
我对密码学一无所知。我想知道会话秘密是什么。
I see code like this:
我看到这样的代码:
app.use(express.session({
store: mongoStore({
url: app.set('db-uri')
}),
secret: 'topsecret'
}));
What is the secret and should I change it?
秘密是什么,我应该改变它吗?
采纳答案by Hacknightly
Yes, you should change it. A session secret in connect is simply used to compute the hash. Without the string, access to the session would essentially be "denied". Take a look at the connect docs, that should help a little bit.
是的,你应该改变它。connect 中的会话密钥仅用于计算 hash。如果没有该字符串,对会话的访问基本上将被“拒绝”。看看connect docs,应该会有所帮助。
回答by substack
The secret is used to hash the session with HMAC:
该秘密用于使用 HMAC 散列会话:
https://github.com/senchalabs/connect/blob/master/lib/middleware/session.js#L256
https://github.com/senchalabs/connect/blob/master/lib/middleware/session.js#L256
The session is then protected against session hiHymaning by checking the fingerprint against the hash with the secret:
然后通过使用密钥检查指纹与哈希值来保护会话免受会话劫持:
https://github.com/senchalabs/connect/blob/master/lib/middleware/session.js#L281-L287
https://github.com/senchalabs/connect/blob/master/lib/middleware/session.js#L281-L287
回答by Rahul Saini
secret key basically used for to encrypt data in session
密钥主要用于在会话中加密数据
