2

I am trying to setup a user login system with Node.js (Express), Socket.io, and Redux/ReactJS. This is the approach I'm taking:

  1. The user connects through Socket.io as soon as he/she gets to the web app.
  2. Through socketio-auth the user is required to authenticate and passes their username and password to the server.
  3. Then, using socket.io-express-session, like in this example, I set a cookie with the user's username and password, so that every time they come back to the website they can be re-authenticated through socketio-auth. (I realize I could probably save a unique token in the cookie instead, would this be better?)
  4. On the server, upon authentication, I just save their details with their socketId to the Redux store for use with every Socket.io request while the session lasts.

Assuming this is all done over SSL, is this safe? What changes would you suggest? I'm trying to make it as simple as possible yet still very safe.

Community
  • 1
  • 1
Leopold Joy
  • 4,524
  • 4
  • 28
  • 37
  • 1
    I love your project. The point #3 is for sure unsafe. But I wonder what is a correct solution. Most certainly a temporary token. You make me realize that I don't really know how all these website we're logged in are using for this use-case. – Mr.Pe Mar 07 '16 at 16:11

1 Answers1

0

It seems like point 3, with Local Storage, is the best way to go for now.

See someone else interrogation: https://github.com/hueniverse/hawk/issues/138#issuecomment-196989520

Mr.Pe
  • 719
  • 1
  • 7
  • 19