koa-identify
v2.0.0
Published
Koa middleware that uses two cookies to uniquely identify a browser and a browser session
Downloads
240
Readme
koa-identify
Koa middleware that uses two cookies to uniquely identify a browser and a browser session
Using koa-identify
When you use this middleware, two cookies will be created on each browser client.
this.browserId
: a 32 character base64 string prefixed withb-
. This is stored in a browser cookie that identifies that browser until the browser's cookies are clearedthis.sessionId
: a 32 character base64 string prefixed withs-
. This is stored in a session cookie that identifies the browser until the session is over
When a browser or session is seen for the first time and the cookie is set, this.browserIdCreated
and/or this.sessionIdCreated
will be set to true.
Example
var koa = require('koa');
var identify = require('koa-identify');
var app = koa();
app.use(identify());
app.use(function *(){
this.body = "koa-identify test\n";
this.body += "browserId=" + this.browserId + "\n";
this.body += "sessionId=" + this.sessionId + "\n";
if (this.sessionIdCreated) {
console.log("sessionIdCreated");
}
if (this.browserIdCreated) {
console.log("browserIdCreated");
}
});
app.listen(4000);
console.log("Listening on port 4000");
This will generate a webpage that looks something like:
koa-identify test
browserId=b:U4QQ/UuSPxzep9eXNPwmRkWUU0sWe2MO
sessionId=s:U4QRA6H8o/3dBbBVxEwFIKXjVd0cf6Rf
If you quit your browser and reopen the page again, the sessionId
will
change, but the browserId
will remain constant until you clear your
cookies.
Options
You can optionally pass an object of options in your app.use
call.
The default options are suitable for almost all uses and so you shouldn't normally need to use these.
Options passed in objects under the session
and browser
keys will
be just used for the session or browser cookies respectively. All other
options given will be used for both.
Ex:
app.use(identify({
session: {
name: 'custom-session-cookie-name',
},
secure: true,
browser: {
httpOnly: false, // not advised but possible!
},
}));
Available Options
secure
: Only send these cookies over https. Provides extra security if your site is entirely served over https (or if, at least, everything you want to authenticate is), but will break your site if you're just using http. Defaults tofalse
.httpOnly
: Make these only accessible via http, i.e. not from client side JavaScript. This provides some protection against XSS attacks. Unless you really know what you're doing, you should just leave this astrue
. Defaults totrue
.expires
: ADate
describing when the cookie should expire. You should just leave these as the default unless you have a very good reason to change them.generateIdentifer
: A function that generates a new identifier. The default, describe below, should be fine for most cases.
Only valid under session
and browser
name
: The name of the cookie used. Defaults toks
for session andkb
for browser.prefix
: The prefix used for the cookie value. Defaults tos-
for session andb-
for browser.
Etc.
Identifiers
Identifiers are created with the crypto.randomBytes
method plus an encoding of the current time from the server setting the cookies.
Explicitly setting the browser or session
If you really want to do this for some reason, just set the cookie using this.cookies.set
before this middleware runs.
In the future, a setter may be provided, but in general, its best to let this library take care of that for you.