0

I am building a single page react app that uses redux as state manager and an express node js as backend server, but I don't know what is the best way to authorize my users in the application!

If it was a php or express-js website, I could use PHPSESSION or express-session to manage users sessions data but now the single page web application is separated from the backend and I can't manage sessions like before!

My idea is to make a session id for each new web request, then save it for client in local storage, then in the server store all needed informations in a database and when application have an API call, send that id in request header. Then we can check authorizations by using that implemented session.

But I thought if there was a simpler way to handle this problem that has no need to make a session implementation by myself.

(I don't want to use third party services like firebase or okta or save all session data in client part like JWT.)

amin msh
  • 472
  • 5
  • 14
  • You can see it ; https://stackoverflow.com/questions/49819183/react-what-is-the-best-way-to-handle-login-and-authentication – Ali Yaman Dec 07 '19 at 21:32
  • Well... Since you are using Redux, and a user session looks like a global state, you could store the token on the store. Isn't that enough? – macabeus Dec 07 '19 at 23:43
  • Also, why you want to make a new session id for each request? I think that it could have so much async problems. You'll can do just one request for each time! – macabeus Dec 07 '19 at 23:45
  • @Macabeus yes i can store it but my main question is about backend part.. should i implement my own session manager? – amin msh Dec 08 '19 at 08:51
  • @aminmsh Please, update the tags of the question. I thought that the question is about front-end part (please you tagged `redux`, `reactjs`...). Also, is better to use a third party solution, because it too easy to do something wrong and open a security hole. – macabeus Dec 08 '19 at 16:13
  • @Macabeus my question is exactly this.. how not to use third party solution and don't open a security hole. for some reasons i can't use third party solutions – amin msh Dec 09 '19 at 08:40

1 Answers1

0

At the end i implemented a custom session manager ( SessionMush ) so the client send a request to server and get a token id then use it to access its session in server.

Each session should be accessible by an identification token ( here knows as sid ) so the application can save that token to access and use that session. A server side state for your application can be use for saving clients auth state or any temporarily data about clients that you want to use them on server side so in your application you will save that identification token and then with each request you will send it in http headers then the server will know who you are and what was you did before on the application based on that saved session data in database (server side state for that id) so it can serve the needed information for you based on the client identity and it's state on the server. It created to be used as a express middleware and mongodb as data store.

When your application have no session and it loaded for the first time it sends a request to the server to gain an identity for itself When the request received to the server, server analyze the request and it'll find out that there is not exist any session id (sid) so it will make a new one for this request and add it to response header part so when the server decide to send the response it will send that created session informations too. The client should save that informations to use that session for its other requests. it can send that id in the request header part to show its identification. A session can be expire too when it doesn't used for a threshold time. so when the server get wrong or expired session it will behave to it like a request without any session so it will create a session for that request and send its informations like what we explained before.

enter image description here

amin msh
  • 472
  • 5
  • 14