Say I have a login system and at first login, I store the session Id. now when the user login again can I retrieve the session Id, session.destroy() the new session and tell express session to assign the session data from the session store with this retrieved Id to this request?
Thanks
I'm using connect-sqlite3 as session store
Related
I'm trying to get the userId inside the websocket listener i've done a ton of google searches about the topic but without any progress.
I'm using passport ,express-session packages.
Please be more specific regarding user ID's. I see you are using passport to implement your session authentication. What particular passport authentication are you using? Passport Google Auth, passport Discord etc., there are plenty. Generally, the session data is what you are looking for if the user id is stored that way.
The session cookie or session store will contain the authentication data you are looking for. If you are using express-session, this information can be obtained by looking at the "req.user" aka Request user. Whatever you store for session data will come up in the req if the user is authenticated through Passport.
I'm using node/express.js with cookie-session in my application.
Currently, when a user logs in a cookie is stored in their browser with a value, for example: session: ABC123. If the user logs out, the cookie is deleted. When the user logs back in, the same cookie and value are stored in the browser session: ABC123.
I am getting the same session user_sid whenever i login.
i want to randomize the session user_sid every time the user logs in.
There is no notion of a session id with the cookie-session package.
In the typical scenario where the session data is stored on the server, a session id is generated that maps to a given user session data. This is this session id that is kept in the session cookie.
With the cookie-session package however, the session data itself is stored in the cookie - as opposed to on the server -, so there is no need for such a mapping or a session id at all. So in effect and unless the session data is actually updated from one session to another, the session cookie will be the same.
You want to call session.regenerate() when the user successfully login, that will do what you want and also address session fixation attack
I'm using Express and Passport.js in my project. I handle login and logout users. But, if the user does not logout, i don't handle expired session. I want to handle expired session or i want to access current session list in the server. Are there any methods for this?
I am creating node.js app using express, everyauth and now.js.
I have a server-side now.js function in which I want to be able access the 'User' object for the authenticated user calling this function. I dont have access to the a 'request' or 'session' object, I only have the user cookie and connect.sid
My question is, whats best way to get the session information I'm looking for? Do I store these details in the cookie when the original page request comes in? Or Is there a way to get the session object from the connect.sid?
Thanks
To solve this I created a Memory Session store, which I passed in when creating the Express App. Which allows me to access the session store
When a server-side nowjs function is called I use the connect.sid to retrieve the users session from the session store. This session then has all the authenticated users details.
I read about session security eg. Session Fixation, Hijacking & Injection but am confused about the workings of session security. The way I usually do it:
// when user logins,
$_SESSION["user"] = "someuser";
// check user login
if (isset($_SESSION["user"]) && !empty($_SESSION["user"]))
Maybe I am doing it wrong, but I don't have Session IDs anywhere, or at least I didn't use it. Can someone explain how should Session IDs be used & how it affects session security? Also, is my understanding of the following threats correct?
Session Fixation
User visits link (http://site.com?session_id=123) and logs in
Server "marks" that session id as logged in
Hacker can now visit http://site.com?session_id=123
My understanding of Session Fixation seems very wrong to me. If its correct won't it mean that hackers can randomly use session ids and I will likely be used by an existing user?
Session Hijacking
Hacker somehow gets Session ID whether by Fixation or guessing etc
Session Injection
What is this?
You're not using session IDs explicitly, but PHP uses them automatically. The session ID is sent as a cookie to the browser, who sends it back to the server with every request to identify itself and resume the session. Without that, sessions are not possible.
A way to improve security is to regularly change the ID of a session, using session_regenerate_id(). That way, if a hacker acquires somebody's session ID, he has only a limited amount of time to abuse it.
Another way to prevent session hijacking (a hacker using your session ID to steal your session) is to store the client IP and user agent string when the session is opened and verifying that they haven't changed when resuming the session.
When using sessions, the session ID is the only information used to identify a session. Because of this, the session ID is a sensitive information.
Now both attacks, session hijacking and session fixation, aim for a valid session ID of a victim to gain access on that session. As for session hijacking, the attacker tries to obtain a victims session ID, and as for session fixation, the attacker tries to foist a prepared session on the victim.
To protect your application from those session attacks, there are two common safety measures:
protect valid session IDs, and
authenticate usage of sessions.
With PHP’s default session settings, the session ID is transmitted using a cookie (see session.use_only_cookies). You can protect this cookie by using a secure connection with SSL/TLS and by setting session.cookie_httponly to true so that the cookie can only be read when sent via HTTP and not by a client side program like JavaScript.
Additionally, you could authenticate the use of a session by associating a fingerprint of the client with the session. This could be a combination of user agent identifier and other request header fields.
Furthermore, you should change the ID of a session with every verification of authenticity or change of authorization. You can use session_regenerate_id(true) for this with an invalidation of the old session ID.