Node.js cookies and session management

Question

After surfing the web about cookies and session I am creating a simple login in nodejs using express with cookie/session using redis as my data storage.

What do you think is the best way to handle cookies/session after the user logs in? I also have these question in my mind:

How do i prevent using userA cookie to inject to userB's browser?
Do I need to check the value of the cookies before performing any process?
Using cookieParser is it safe that the connect.sid is unique in every browser?
app.use(session({secret: 'secretkey', key: 'quser'})); what is this secret all about?

I can't make up my mind on how i'm gonna use them in a proper way. Thanks guys.

Alexei · Accepted Answer

According to the session middleware (https://github.com/expressjs/session)

secret - session cookie is signed with this secret to prevent tampering.

Secret option will make sure your cookie is not modified.

There is a lot written about stealing cookies and preventing Cross Site Scripting. One of the possible ways to do it is make the cookie unavailable for javascript by providing the option httpOnly : true

cookie - session cookie settings. (default: { path: '/', httpOnly:
true, secure: false, maxAge: null })

Do I need to check the value of the cookies before performing any process?

Usually you keep in the cookie some information identifying your session and session data is kept on the server. You can do it yourself but there are some great libraries which could help. One of the most popular to handle authentication in express is passport.js (http://passportjs.org/)

While using passportjs you will implement two methods serializeUser and deserializeUser. They will be called on each request to get the user data based on the identity saved in the cookie. Here you can use for example mongo or redis

Node.js cookies and session management

Answers (2)

Related Questions