My current idea is to define a User object, which includes uid, username, password, isLoginedwait. Then set up an interceptor. When the user makes the first request (session starts), it will determine whether the user is logged in based on user.isLogined from the database. If logged in, it will be at the session level. Set isLogined equal to true, otherwise it will redirect to the login page.
But in this case, how should I determine the user's identity when the user makes the first request? If uid is set in the cookie, the uid can be forged by others, posing a potential security risk.
Is there any good solution to this problem?
My main problem is how to judge the legitimacy of the user's login identity. Now my idea is to encrypt the user id and save it in a cookie. Only I know this key, so even if others know the user id, they will not know it. I would like to ask if this is reasonable.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
This risk is huge: if the uid is changed to someone else’s, and that person happens to be logged in, then they will be logged in as someone else
Follow your plan:
1. Set the uid of the cookie to be encrypted, or a meaningless random string
2. Use this string to compare with the db, or compare with the cache, and verify the IP at the same time Or user agent to enhance security
3, consider session expiration policy
First of all, you need to store user information in your database and set it up
isLogined默认为FALSE,每次登陆成功后更新为TRUE,退出后更新为FALSE;判断登陆成功的标志用userName userPass 匹配,还有isLogined判断;最后设置判断级别,先isLogined后用户密码;It is recommended that the login status should not be stored in the database, at least not in a relational database; you can return the token after the user login verification is completed, and all subsequent user requests will carry this token in the authorization field of the headers; you can learn more Let’s take a look at jwt and related implementations
According to your current method, if I am an anonymous user who is not logged in and requests one of your interfaces, and then is intercepted from the database to determine whether the user is logged in based on user.isLogined, then a problem arises. Who is the user in your user.isLogined?
It is recommended to put the user login success information in the session after logging in directly. When requesting, just use the interceptor to verify the session. Do not access the database. This database access operation is very expensive for every request.