Confused about nodejs session managment

Question

I was recently testing for session related issue like prevelage escalation in a web app using nodejs express. Its my first time testing nodejs app, the situation is like this,the site has 3 user roles admin, manager, user and all three have same value for connect.sid and all three have different privelages on the application, yet thats the only cookies present after auth for everyone.

I am confused how nodejs is handling session and how its differentiating that this is admin and he is manager and stuff like that ?

Can someone having experience in nodejs web programming throw some light onto this?

Answer 1

I logged into 1 checked the cookie logged out and logged into other and i see same cookie value

The cookie value is just used to track the session. All the interesting information is kept on the server.

When you arrive on the site, you get a session and a session cookie to connect your browser to it. You aren't logged in at this point, but you still get a session cookie. (At least typically, you haven't shared the specific details of your session implementation so we can't be certain about this).

The details about which user is logged in are stored server side and associated with that session id.

If you logout and login again, you are still using the same session, it is just that the data (which identifies who you are logged in as) stored against that session id on the server changes.

Answer 2

connect.sid is the DEFAULT name for the session ID cookie. https://github.com/expressjs/session#name

A cookie will be stored on your computer that only stores the session ID. The session data will actually be stored on the server.

Use req.session to look at the session data on your server. https://github.com/expressjs/session#reqsession

Answer 3

You can assign variables into your session, like:

request.session.level = 'admin';