0

I am learning to make a website with nodejsn, express, socket.io and mongodb. I am pretty much self-taught but when it comes to authentification, I can't find a tutorial that explains how it works in simple terms.

I have a login form, a signup form, the user data is stored into the database on registering. When I login, the page greets me with my username, but when I refresh or close the tab and come back, I have to login again.
All I want is that make users able to come back without having to log in systematically.

All I can find are explanations like : http://mherman.org/blog/2015/01/31/local-authentication-with-passport-and-express-4
And I don't really get it.

Can someone explain what am I missing here ?

PatrickCUDO
  • 111
  • 3
  • You need to show some code, but I will hypothesize hat you're not doing any kind of session management, or if you are you're serving it over http but have the secure:true option, which requires https. – Paul Mar 13 '17 at 01:55
  • Sounds like `cookies` are what you're looking for. Create a strong, random cookie with the crypto module, i.e. `require('crypto').randomBytes` and check for that cookie on `req`. If the user has that cookie, treat them as "logged in". – Jekrb Mar 13 '17 at 01:57
  • Thanks for the replies. Yes I am not doing any kind of session management yet. I struggle to find out some link explaining how that works. What Jekrb said sounds awesome. Looking for cookies I found that : http://stackoverflow.com/questions/16209145/how-to-set-cookie-in-node-js-using-express-framework Many thanks ! – PatrickCUDO Mar 13 '17 at 02:01

1 Answers1

1

Session management is something that Jekrb highlighted and is also a great question when it comes to highlighting users if it be anonymous or users of your application.

Though before I go into any depth I am going to highlight that cookies have a slight problem if your application is going to work on a larger scale where you have this scenario: "What happens if you have N servers where N > 1 ?" so to some degree if your unsure of your user-base, cookies may not be the correct approach.

I'm going to presume that you don't have this issue so providing cookies as a means of identifying users is appropriate, but isn't the only method available.

This article outlines a few ways in which the industry tackles this:

https://www.kompyte.com/5-ways-to-identify-your-users-without-using-cookies/

My favorite method here would be canvas fingerprinting using https://github.com/Valve/fingerprintjs2 Which will create a hash that you can store and use to verify new connections, Probably with something like socket.io which you've listed as using. A major upside of this is scalability as we can store these unique hashes centrally inside of the database without the fear of always being stuck with one server.

Finally I haven't posed any code which I dislike but the topic is hard to pin down to specifics, though I have hopefully offered some alternatives to just cookies.

li x
  • 3,953
  • 2
  • 31
  • 51
  • Many thanks for providing such hints. So with fingerprintsJS, I can even offer to create an anon account with one click. (I don't need username/emails/etc ...) – PatrickCUDO Apr 13 '17 at 15:08
  • You could, though it's per browser signature so if they were to open chrome after using firefox for example it's likely a separate hash would be generated. – li x Apr 13 '17 at 16:30
  • I think of adding some "key" to the user schema and provide an unique URL personalized with that key so each user can access his account directly. – PatrickCUDO Apr 29 '17 at 11:59