Reputation: 57978
advantages of express-session-mongo vs rolling your own
I am new to nodejs/mongo so i ended up rolling my own session middleware because i didnt know about express-session-mongo.
In my middleware, i store the users id in the session (via express's session middleware), and then load the logged in user object on every request. I also allow the user to store their user/pass in an httpOnly cookie for a 'remember me' functionality.
The docs page for that npm leaves something to be desired.
My question is: what are the advantages of that module vs what i wrote? Am i doing something stupid? How is what they do better than what i do?
Upvotes: 0
Views: 478
Answers (1)
Reputation: 146114
Your technique is highly insecure. If I just need to know the ID of a user record in your database, and I can use that in my session cookie to become any arbitrary user, that's a massive vulnerability. Session IDs should be pseudorandom tokens that in and of themselves do not contain any data. They are just unguessable numbers used to look up data on the server side. They should also be unique for each session across time, which a user ID is not.
Upvotes: 1
Related Questions
- Storing sessions with express-session, connect-mongo, and mongoose
- Best Session Storage Middleware for Express + MongoDB
- Express: implementing MongoDB session store
- express-session vs passport.js?
- Getting information from node.js session vs getting it from database
- Express session MongoDB store: connect-mongo vs connect-mongodb-session
- node.js + express.js: session handling with mongodb/mongoose
- What's the advantage of using express' session over the HTML5 global sessionStorage object?
- Store user sessions: node.js, express, mongoose-auth
- What is the best session store for expressjs to store sessions on a mongodb (mongoose) database?