Reputation: 1615
Express.JS: Two users logged in simultaneously - keeping a user cookie while another user logs in
I have an application built in Express that has two different user roles: admin and regular.
Whenever a person signs up, there are two users created internally, one with the admin role and another with the regular role. Both of them are created with the same email address, but each one of them has a different password.
Right now, when a regular user logs in, she can switch (log in) to the admin counterpart by just entering the admin password.
I would like to add a feature to let them switch back to the regular user by just pressing a button, but this would imply to store somehow the regular user session cookie on the client.
How can I achieve this without compromising the security of the app?
These are the possible ways I have tried without any luck:
- Create two different keys for the session cookie, one for each type of user, so collisions are avoided and both cookies can coexist on the client at the same time.
- Change the session cookie permissions so I can access it from the JavaScript client and deal with it there.
Upvotes: 0
Views: 636
Answers (1)
Reputation: 3224
Question: if the user logs in as an admin in the first place, would you also want them to be able to shift to a regular user with no login, or is that not a supported use case?
Question 2: are you just rolling your own authentication and user management, or do you have another library in the mix which may be relevant?
Thoughts: Without knowing how you lay out your sessions, as well as how you store your users, but thinking about the way I do (which is that I have a user attribute of req.session): you could have a server method - let's just call it downgradeUser().
When invoked, it could simply change the session.user object to the regular user which shares the email address with the then-current admin user. Assuming you have a function getRegularUserByEmail which looks up your user based on an email address, bypassing any password check.
app.get('/downgradeuser', function downgradeUser(req,res) {
req.session.user = getRegularUserByEmail(req.session.user.email);
// render, redirect, send a 200-OK, etc, based on how you're calling it.
});
While you could secure access to this method or add a check inside it to verify that the original session.user has the admin role, my quick thought is that you might not really need to, since if called by a regular user, the result would be resetting the session.user to the same thing it was, although you'd probably want to do the check to avoid the needless overhead of reloading the user as well as because you might consider an unexpected case for which you'd want a warning.
Let me know if I am missing something or if this isn't suitable for some reason.
Hope this helps.
Upvotes: 1
Related Questions
- Session-only cookie for Express.js
- Express Session and Cookie
- authentication conflict between sessions in Express server
- Session Cookies on Express.JS
- Multiple session for multiple login without any store
- Session and Cookies in expressjs
- Store Express Session in Cookie
- ExpressJS sessions with cookies
- Node.js cookies and session management
- app creating two sessions for same user - express js