2

I am having a hard time understanding the role of the cookie that is generated in the express-session package.

So in the code below:

var session = require('express-session')
var store = require('session-file-store')(session)

app.use(session({
    name: 'session-id',
    secret: 'sdafjlkdashf34khrjke'
    saveUninitialized: true,
    resave: true,
    store: new Store()
})

func auth (req, res, next) {
    if (!req.session.user) {
        req.session.user = 'admin'
        next()
    }else {
        console.log(req.session)
    }
}

app.get('/', function (req, res) {
  res.send('Hello World!');
});

app.listen(3000, function () {
  console.log('Example app listening on port 3000!');
});

So essentially in the simple code snippet above, whenever the user makes a request to the server (like this: localhost:3000/) 3 things will happen:

  1. A new session object will be created for that specific client.
  2. In that new session object a cookie will be attached automatically for that specific client.
  3. Finally since I am using session-file-store, ONLY the cookie information (not the session object) will get saved to a session folder on my local machine.

So now let's say 50 cookie objects are stored in that session folder since 50 clients made a request to my server.

So my question is, whenever one of those 50 users makes another request to my server, how does express-session know which cookie object (from the session folder) to pick and attach to the req object to use in the code.

  • Okay, so after doing some research I realized that when a specific client (let's say your browser) makes a request to my server, then based on the domain of the client (in other words the IP address, I think? Someone can correct me here what domain refers to) the server knows which cookie belongs to that client. More is explained here: http://stackoverflow.com/questions/8805958/how-browsers-know-what-cookies-to-send-to-server-when-requesting. –  Aug 31 '16 at 06:37

1 Answers1

1

The session object is a regular JavaScript object in which you can store (reasonably) generic information for a particular session.

A session is identified by a unique identifier, the session key or session id. This is what gets stored in the cookie, and it's used to correlate the client to the session file.

Here's an example cookie that gets set for me:

set-cookie: session-id=s%3AvdD2a8WqJD3R5L5UjZ_oWDkWMVbEa8UF.%2BXjKW6hIaX%2FfDAJm2lSZrEJ0xFigoeHjru1rZT7Na0E

It consists of four parts (I url-decoded them for clarity):

  • s:: a prefix set by express-session to indicate that the session cookie is signed;
  • vdD2a8WqJD3R5L5UjZ_oWDkWMVbEa8UF: the unique identifier. If you look in the directory where the sessions are stored, you'll find a JSON file by that name;
  • .: a separator between the session id and the signature;
  • +XjKW6hIaX%2FfDAJm2lSZrEJ0xFigoeHjru1rZT7Na0E: the cookie signature (to prevent tampering);

So the cookie itself doesn't contain any session information, that's all stored in the file.

Here's an example of a session file:

{
  "cookie": {
    "originalMaxAge": null,
    "expires": null,
    "httpOnly": true,
    "path": "/"
  },
  "value": 1472628829554, // this is a value I stored in the session
  "__lastAccess": 1472628829557
}

The domain, in terms of cookies, means to which domain (or website) a cookie belongs. If example.com sets a cookie, the cookie is tied to that domain and will only be sent to that website. However, this doesn't have anything to do with identifying the client that sent the cookie, that's the job of the session id.

robertklep
  • 198,204
  • 35
  • 394
  • 381