3

Sorry for the generic title. I'm playing around with Mozilla's Persona at the moment. I'm using Express.js with the express-persona middleware so setting everything up was incredibly simple. The client-side part is easy too, but I'm having a hard time understanding one particular part of the documentation. It says:

loggedInUser: The email address of the user currently logged into your site from this computer, or null if noone is logged in. For example, you might examine the browser's cookies to determine who is signed in. [...] Persona will compare the email address you've passed into loggedInUser with its own knowledge of whether a user is currently logged in, and who they are. If these don't match, it may automatically invoke onlogin or onlogout on page load. (Source)

express-persona sets a cookie which includes (I guess) the crypto-foo that acts as a password replacement. Am I supposed to store the email address returned by the backend in a separate cookie? That doesn't seem to be a very good idea. Maybe one of you guys knows how that's supposed to work.

superlukas
  • 481
  • 5
  • 12

1 Answers1

4

You wouldn't store the email address in a cookie for Persona, any more than you'd store the username in a cookie for a password-driven login.

No, basically you do the same thing with Persona: Use a session, stored on your server, keyed from a cookie. The only difference is that your site went through the Persona auth process, instead of verifying a username + password.

The example on the page you linked to has a currentUser variable. Well, in a real web site, that variable would be filled in as a template from the server side. Do whatever you would do to support a login session, find the currently authenticated user, insert that user's email address.

LMOrchard
  • 56
  • 2
  • Thing is I'm not doing anything really. It looks like the express middleware does everything for me. [Here's](http://pastebin.com/YpF8WsfY) the example from the MDN page and [here's](http://pastebin.com/1kBrx6e8) the express-persona example. I click the button, sign in, close the tab, open a new tab, connect to localhost again and I'm signed in automatically. It feels like I'm supposed to set the *currentUser* variable before doing the ajax call though. – superlukas Oct 08 '12 at 16:41
  • Yeah, [looks like express-persona does exactly what I suggested](https://github.com/jbuck/express-persona/blob/master/index.js#L71): It stores the verified email in the current session under a configurable key (`email`, by default). So, it looks like you'd get the current authenticated email from `request.session.email` and just count on express-persona to set that for you – LMOrchard Oct 09 '12 at 00:41
  • Yup that's what I figured. I guess I just don't understand the purpose of the *currentUser* variable then. I can live with that. Thanks :) – superlukas Oct 09 '12 at 00:55