2

I have a very good basic understanding of sessions.

There are 2 options to use sessions with express and node.js.

  1. express.session
  2. express.cookieSession

The first I am well familiar with, but I have a few questions regarding the second method.

Using cookieSession will store all the actual data on the client side cookie. This means that sensitive data will be saved on the client side.

This seems very very bad. Doesn't this means that some malicious software could retrieve this data?

And another question:

I have tried to replace my express.session with express.cookieSession and everything works and I can see the data on the client side, but it seems each time I delete the cookie and re-enter the server, I am getting the SAME session token. How is this possible?

Is there something else I should do besides changing the express.session to, let's say:

app.use(express.cookieSession({ secret: 'keyboard cat' }));

Why am I getting the same token each time the client gets a new session?

Scimonster
  • 32,893
  • 9
  • 77
  • 89
lobengula3rd
  • 1,821
  • 4
  • 26
  • 39

1 Answers1

0

Question 1 regarding security: One site cannot access another site's cookies, but there are certainly risks when putting sensitive data on the client. It is not recommended. Read the answer here for a basic rundown: How to store cookies containing sensitive data securely in PHP?

Question 2 regarding same token, see my comment on your question.

Community
  • 1
  • 1
glortho
  • 13,120
  • 8
  • 49
  • 45