Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What exactly does serialize and deseralize do in sessions with passport and express?

I have only the haziest notion about what sessions do, and the official documentation does not help much, since it assumes I know what sessions are and therefore also know why users need to be serialized and deserialized.

Here's what I think I know: a session is like a post-it note stuck on the server's refrigerator that says "User bob is cool. Let him in." Every time a new request comes from bob, the server checks the post-it node and and says, "Yep. Bob's still cool."

So serialization is writing the post-it note, and deserialization is taking it down. here's what I don't understand: how does this code write a post-it node, what is 'done' doing?

passport.serializeUser(function(user, done) {
  done(null, user.id);
});

And how does the following code throw away the post-it note? findByID accesses the array where I store my users. Why does that need to be accessed if the 'post-it-note' is just going to be thrown away?

passport.deserializeUser(function(id, done) {
  findById(id, function (err, user) {
    done(err, user);
  });
});

What, exactly, is the flow here?

The rest of the code for these examples is here

like image 313
Tara Roys Avatar asked Oct 02 '14 19:10

Tara Roys


People also ask

What does serialize and deserialize mean in passport?

Passport uses serializeUser function to persist user data (after successful authentication) into session. Function deserializeUser is used to retrieve user data from session.

What is serialize vs deserialize?

Serialization is a mechanism of converting the state of an object into a byte stream. Deserialization is the reverse process where the byte stream is used to recreate the actual Java object in memory.

What is session serialization?

Sessions are indeed like a post-it note, but you write what you want on them. Serialization is the writing part, and deserialization is the reading part. So your user logs in. You don't want to keep all his info in the session because it's already in your database.

What does passport session do?

passport. session() acts as a middleware to alter the req object and change the 'user' value that is currently the session id (from the client cookie) into the true deserialized user object.


1 Answers

You're halfway there with your refrigerator analogy. Sessions are indeed like a post-it note, but you write what you want on them. Serialization is the writing part, and deserialization is the reading part.

So your user logs in. You don't want to keep all his info in the session because it's already in your database. But on subsequent requests, you want to remember who he is. So all you have to write down on your post-it is his Id, let's say 1234. By calling done, you're informing passport that this is what you want to stock in the session.

On a subsequent call, passport retrieves your post-it and says "Ok, I know this guy, his id is 1234". findById is the method you call to retrieve all his information, like his name. By calling done here, you're saying "ok, here's the info about that user. His name is Bob."

If you're wondering why you're calling done and not simply returning the value, it's because both your serialization and deserialization could be asynchronous. If you want more info about asynchronous code, I strongly suggest reading Node the right way, since it's a core concept of Node.js.

Hope this helps.

like image 115
jbblanchet Avatar answered Oct 23 '22 10:10

jbblanchet