1

After surfing the web about cookies and session I am creating a simple login in nodejs using express with cookie/session using redis as my data storage.

What do you think is the best way to handle cookies/session after the user logs in? I also have these question in my mind:

  1. How do i prevent using userA cookie to inject to userB's browser?
  2. Do I need to check the value of the cookies before performing any process?
  3. Using cookieParser is it safe that the connect.sid is unique in every browser?
  4. app.use(session({secret: 'secretkey', key: 'quser'})); what is this secret all about?

I can't make up my mind on how i'm gonna use them in a proper way. Thanks guys.

Joenel de Asis
  • 364
  • 1
  • 12
  • 17

2 Answers2

2

Use a library.

It is such an easy thing to make a tiny mistake with disastrous consequences.

I've used Passport before and liked it a lot.

This was a similar question that had some very good replies: user authentication libraries for node.js?

Community
  • 1
  • 1
Nathan
  • 409
  • 4
  • 15
  • 1
    I also recommend using a well established library such as Passport, but maybe the OP wants to understand the fundamentals behind session management. Understanding is much more important than implementing a library or copying and pasting code. – Michael Jun 15 '14 at 19:45
  • 1
    Thanks guys. But how about doing it without using any libraries? – Joenel de Asis Jun 16 '14 at 11:58
  • 1
    I really really caution you to use a library. Encryption and authentication are two of the _hard_ problems in programming that can have the worst consequences. If you make an error most places, consequences can be contained. You make an error here, you can be ruined. However, if you are just playing around and want to learn about it, that is a different story entirely. To go down that path, what I would recommend would still be to go to the libraries, but instead of using them, simply learn from them and see how they do things. – Nathan Jun 17 '14 at 04:31
2

According to the session middleware (https://github.com/expressjs/session)

secret - session cookie is signed with this secret to prevent tampering.

Secret option will make sure your cookie is not modified.

There is a lot written about stealing cookies and preventing Cross Site Scripting. One of the possible ways to do it is make the cookie unavailable for javascript by providing the option httpOnly : true

cookie - session cookie settings. (default: { path: '/', httpOnly:
true, secure: false, maxAge: null })

Do I need to check the value of the cookies before performing any process?

Usually you keep in the cookie some information identifying your session and session data is kept on the server. You can do it yourself but there are some great libraries which could help. One of the most popular to handle authentication in express is passport.js (http://passportjs.org/)

While using passportjs you will implement two methods serializeUser and deserializeUser. They will be called on each request to get the user data based on the identity saved in the cookie. Here you can use for example mongo or redis

Alexei
  • 249
  • 1
  • 6