Reputation: 1168
In Express.js, is it safe to store any data in sessions?
I'm used to working solely with cookies.
With cookies, I would save a username and hash and perform a database query on each pageload, to ensure that the user has the correct password. I was about to do the same thing with sessions, when it occurred to me that sessions are not editable by the user.
Theoretically, I could say:
req.session.authenticated = true
and just test to see if the user has been authenticated, without rechecking if the password was correct.
Is this safe to do? Or is it necessary to store the username and hash?
P.S. I'm using Express 4.8.6 with express-session 1.7.6
Upvotes: 5
Views: 2187
Answers (1)
Reputation: 3144
express-session doesn't store any working data in the cookies. Instead it stores a uuid in the cookie, and then matches that uuid to data in your session store (defaults to in-memory).
So if I visit your site, you'll give me a cookie containing 23949324. Any data that you assign to my session will be stored somewhere not in my browser, my cookie remains 23949324. Redis is a common session store.
You can do req.session.creditcard = "4186xxxxxxxxxxx2" and that's technically safe, at least in the realm of cookies. Realistically, you probably shouldn't be storing credit card data plaintext in your session store.
If you'd like persistant sessions I'd recommend express-sessions.
Upvotes: 6
Related Questions
- How do sessions work in Express.js with Node.js?
- Storing Data With Express-Session
- Session Cookies on Express.JS
- What is the best option to store session data in express js
- ExpressJS security best practice (handle session and cookie)
- Session and Cookies in expressjs
- ExpressJS sessions with cookies
- Understanding Express Sessions
- Node.js cookies and session management
- express.js understanding sessions security