I am using mongoDB in my project, due to the Project's need, I am saving lots of credential data in my database. I want to know, how secure their web server is ? i am using passportJS now for authentication. i did use registered user check at all routing.
for your information
i use
passportJS
mongoose
expressJS
NodeJS
Heroku
The problem basically boils down to the fact that bodyParser creates a temp file on your server for every request leaving you wide open to a DDOS attack. You can replace app.use(express.bodyParser()); with app.use(express.urlencoded());
Also, please go through http://expressjs.com/api.html and
http://wegnerdesign.com/blog/why-node-js-security/
Related
We are using the Passport with express-session. when I develop features in my local, Server restarts which kills session every time I make changes to the code as I use nodemon. As a result, I have to login repetitively.
Here is my question:
Is there any way that I can config Passport to prevent logging in repetitively during development?
I'm thinking about:
(1) allow the session to survive during reloadings
(2) allow Passport to use cookie instead of cookie-session
(3) any other possible solutions will be appreciated
Yes you can. Just pick your favorite storage (you use the default memory storage, don't you?). The easiest way is to store sessions in a database (like MySQL or any other, maybe Redis) and with each restart all sessions will be stored safely in it.
You haven't provided any code in this question, but I am not going to be a stingy StackOverflow police officer and try to answer this as best as I can. I am expecting that you have sessions set up properly because you are not reporting any problems with data resetting when sending get requests to URL endpoints on your server.
You can actually set session data with the express session. Depending on what URL endpoint you would like to serve the data:
app.get('/url-endpoint', (req, res) => {
req.session.data-attribute = "data";
});
You can then serve this data however you like. I hope this answers your question. If this didn't answer your question, I would recommend editing the question and adding some code.
we are in the process of building a new app in node.js with express that connects to our parse server backend. We have built native apps that already connect to our backend on iOS, Android and PHP. All of them have the ability to log in the user and store the session data securely.
I'ts my understanding that node.js doesn't really store sessions like for example in PHP you can store them as a file on the server or to memcache or redis and test against parse->currentUser() to check if its valid.
How does one do this with node.js? We cant store any session data in a cookie since thats not secure.
Is using express-sessions and redis a good way to handle this?
I'ts my understanding that node.js doesn't really store sessions like for example in PHP...
That's not a totally accurate understanding... it's more that Node.js doesn't really know or care how you handle your sessions. That's where frameworks like Express, and their modules express-session, come into play.
Is using express-sessions and redis a good way to handle this?
If you're using Express, yes. And, with that, you can use whatever session store you want, including Redis, Memcached, files, just like you're used to with PHP.
An approach that I've used in the past is to store your session ID in a cookie, but none of the session content. That will allow you to reconnect with a prior session, as long as it's still valid. You can also use LocalStorage if you want something a little more persistent than SessionStorage. If you want something really persistent, you can manually save your session data to your database, and have the user request it if their browser data has been cleared.
I'm investigating using Stormpath for our user Management.
I currently have a Sails.js application which uses Node.js / Express.js. Currently, session management is handled by the default Sails.js framework, which relies heavily on Express' session middleware.
Sessions are stored in a shared Redis database on production so that we can keep our multiple API servers stateless.
My question is will the two session management systems conflict and/or cause bugs? Do they have to be consolidated or can we safely keep them separate? if they have to be combined, how do you configure the middleware?
As a note we won't be storing much user data on Stormpath, we'll only be using them as a auth/token provider.
Thanks for the help!
I'm the author of the express-stormpath library, which is what I'm assuming you're evaluating.
You can indeed use your own sessions in addition to the stormpath ones. The way it works is like so:
Stormpath uses req.session to store a stormpathSession cookie. Any other cookies you create / store, will be handled by you completely.
It should work nicely with whatever session library you choose =)
I am currently developing a node.js webapp, which can access a subversion server with a nice web UI.
To access the server I need authentication data. My first attempt was to store them with app.set('username', 'theo')and app.set('password', 'start'). Later I saw, that this is a very bad idea, because then, the authdata are going to be in the app settings until it restarts.
My question is now, how can I store data during a session over multiple requests using nodejs and express?
PS: A database is sadly no option...
Ok, I just oversaw it. The express module express-session was what I needed :)
This is my code now:
var session = require('express-session')
app.use(session({ secret: 'supersecret' }))
And when I need the session I jsut go with
req.session.username = 'theo'
Just if anybody has the same trouble like me :)
You may use "mamcached" for store your session information using nodejs. Thorough this you may help in integration with any web server session also.
You can also use REDIS to store the sessions, even if the express falls you will still have the sessions on REDIS and the users won't have to authenticate again.
You can also use redis for nodejs and predis package for php redis. It is very easy for you.
All the best..!!!
I have a fairly complex express based web application that is split up into a few sub apps which are also express apps (using app.use()). How can I seamlessly use the same session between all parts of the app?
the middleware bundled with Connect are "self aware" in that they will not duplicate work they've already done. So for example if you have req.session already, and both the "root" app, and a mounted app utilize the session() middleware, the root app's session will work, and the other will be ignored. So it should work as-is.