Reputation: 107
ExpressJS security best practice (handle session and cookie)
I just read an article about ExpressjS security best practice here https://expressjs.com/en/advanced/best-practice-security.html . And it mentions that express-session package is only designed for development environment, not production environment. So wheter it means that i can't use express-session for implementing authentication and authorization functionality in my apps? How if i use it in production environment? Is there security issues or what? Please help to explain. Thank you.
Upvotes: 1
Views: 1465
Answers (1)
Reputation: 3748
You misinterpreted what was written about it.
The express-session middleware stores session data on the server; it only saves the session ID in the cookie itself, not session data. By default, it uses in-memory storage and is not designed for a production environment. In production, you’ll need to set up a scalable session-store; see the list of compatible session stores
It meant that you should use external store to use session (like a DB or a key-value store like Redis) to prevent session data loss in case your app restarts or crashes.
Upvotes: 2
Related Questions
- Expressjs secure session cookie
- Session-only cookie for Express.js
- What am I missing about express sessions and cookies?
- Express Session and Cookie
- Session Cookies on Express.JS
- Session and Cookies in expressjs
- Using encrypted cookies and a session store to secure requests
- Session in nodejs
- ExpressJS sessions with cookies
- Node.js cookies and session management