2

I have an authentication method based on socket.io and I know you can save client id in a cookie or add a hash to request url.

but I'm looking for a way of implementing sessions in nodejs that doesn't rely on storing data in client side, is that even possible?

Nasser Torabzade
  • 6,490
  • 8
  • 27
  • 36

1 Answers1

2

If you don't want to store data on users then you will have to use existing data they already have: browser version, IP, user agent... but that's not going to be very reliable, cause any website will be able to see that information, and thus the session will be insecure.
That doesn't happen with cookies, cause they are "private", they can only be seen under a certain domain.

Another method as you know is adding a secret tag in every html link/form your server generates, and use that secret key to identify logged in users. That's similar to cookies, but more complex. You don't have to "store" anything on user's machine...
There is a problem with this method, if the user shares a link, a custom link, then your secret key won't be secret anymore.

EDIT: I've found a similar question you should read Node.JS session without cookies

Community
  • 1
  • 1
Salvatorelab
  • 11,614
  • 6
  • 53
  • 80
  • thanks, using existing data that clients already have is exactly what I'm trying to do. what do you think about using IP addresses? is that insecure too? I mean can a client manually change their IP or is there any possibility of duplicated IPs among clients in the same time? – Nasser Torabzade Oct 29 '13 at 20:52
  • 1
    IPs are dynamic. Also two clients under the same router will have the same IP. So you should add more info to make a "unique" combination. And remember that if your users enter another site, that site will also be able to see their IP, ec., and get the same information you are using, so sessions on your site would not be secure... – Salvatorelab Oct 30 '13 at 08:56