1

Is the top-voted answer given here secure?

As far as I can tell, the communications are not encrypted. Any other holes need to be patched for a truly secure authentification system?

Community
  • 1
  • 1
Randomblue
  • 112,777
  • 145
  • 353
  • 547

2 Answers2

2

In Express, sessions use cookies to make a connection between a browser and the database. The cookie is encrypted using a secret key you set in the application. If you are interested, this is the code used to encrypt the cookie: https://github.com/senchalabs/connect/blob/master/lib/utils.js#L158-163

If you are afraid that somebody on the network can sniff the traffic, then you should use HTTPS, and if you're even more paranoid you can encrypt the data again client-side and unencrypt it server-side using Stanford Javascript Crypto Library.

alessioalex
  • 62,577
  • 16
  • 155
  • 122
  • Is the secret the same for the whole application, or should it be different for every user, connection or session? – Randomblue Dec 28 '11 at 18:46
  • 2
    It should be the same for everything. If you pick a sentence for example as the secret, it would take centuries to guess: http://xkcd.com/936/ – alessioalex Dec 28 '11 at 18:50
0

If you are also trying to protect against connection man-in-the-middle attacks, then you absolutely need a HTTPS connection, a signature from a certified authority, and prevent third-party code injection to your pages

P Varga
  • 19,174
  • 12
  • 70
  • 108