Sorry for being very stupid, but I really can't get my head around it. There are many different options like Cookies, LocalStorage, LocalForage, Session Cookies, etc.
What I need though is to store user information, and I have to do it on the server (I'm using node and express), I mean I can determine user on the server, and I have to send it to the client, and store it in browser's session store.
And I can't use just regular cookies, I don't want to persist that between the sessions.
with the cookie I could just do:
apt.get '/', (req, res)->
res.cookie 'user', currentUser
But doing similar thing with res.session doesn't work
Update after discussion.
Sounds like you should look at the basic approach of:
Take the user data you have on the server but want available in the browser, serialize it to JSON on the server
transfer that user JSON data to the browser in an HTML <script> tag whenever there's a full page load. Something like <script>window.USER = {"name": "Agzam"};</script>
when your JS on the page starts to run, you have access to it directly: window.USER
You can just leave it there in memory and it will go away when the window/tab is closed.
I recommend sharify as a secure and convenient way to do this. It integrates with express and browserify. If you don't use sharify, be aware that the rules for properly encoding JSON inside HTML are tricky.
I don't want to persist that between the sessions
Don't use localStorage or anything backed by localStorage then as they will persist longer.
Related
So I have few things to say I don't want to use cookies so things like express-session doesn't come as option.
I use nodejs with express with no front-end JavaScript and mysql as database. I don't really know how to do it so I would like to hear your opinion.
I already tried to search on internet.
When dealing with regular web pages, there are only four places in a request to store information that would identify a session.
Cookie sent with each request
Custom header on each request
Query parameter with each request
In the path of the URL
You've ruled out the cookie.
The custom header could work for programmatic requests and is regularly used by Javascript code with various types of tokens. But, if you need a web browser to maintain or send the session on its own, then custom headers are out too.
That leaves query parameters or in the path of the URL. These both have the same issues. You would create a sessionID and then attach something like ?sessionID=92347987 to every single request that your web page makes to your server. There are some server-side frameworks that do sessions this way (most have been retired in favor of cookies). This has all sorts of issues (which is why it isn't used very often any more). Here are some of the downsides:
You have to dynamically generate every single link in a web page so that it will include the right sessionID as part of the link so if the user clicks on it, the resulting http request will have the right sessionID included.
All browser caching has to be disabled or bypassed because you don't want the browser to use cached web pages that might contain the wrong sessionID.
User bookmarks basically don't work because they end up bookmarking a URL with a sessionID in it that won't last forever.
The user sees sessionID=xxxx in all their URLs.
Network infrastructure that log the URLs of requests will include the sessionID (because it's in the URL). This is considered a security risk.
All that said and with those tradeoffs, it can be made to work, but it is not considered the "safest" way to do it.
We are using the Passport with express-session. when I develop features in my local, Server restarts which kills session every time I make changes to the code as I use nodemon. As a result, I have to login repetitively.
Here is my question:
Is there any way that I can config Passport to prevent logging in repetitively during development?
I'm thinking about:
(1) allow the session to survive during reloadings
(2) allow Passport to use cookie instead of cookie-session
(3) any other possible solutions will be appreciated
Yes you can. Just pick your favorite storage (you use the default memory storage, don't you?). The easiest way is to store sessions in a database (like MySQL or any other, maybe Redis) and with each restart all sessions will be stored safely in it.
You haven't provided any code in this question, but I am not going to be a stingy StackOverflow police officer and try to answer this as best as I can. I am expecting that you have sessions set up properly because you are not reporting any problems with data resetting when sending get requests to URL endpoints on your server.
You can actually set session data with the express session. Depending on what URL endpoint you would like to serve the data:
app.get('/url-endpoint', (req, res) => {
req.session.data-attribute = "data";
});
You can then serve this data however you like. I hope this answers your question. If this didn't answer your question, I would recommend editing the question and adding some code.
I'm trying to build a CMS on Node.JS and this far i managed to build everything only by including MySQL module. I would like to continue building all the CMS core modules without the use of extern libraries like Express. I'm working now on the session for Login purposes. By now, i can create cookies with the header Set-Cookie where i store some information of the user to recognize its session when he/she loads all the pages in the site, but i still can't find some way to create session variables without the use of express or some other frameworks.
I'd be thankful if someone could give me some example.
First off, unless you're building things yourself just because you want to learn how to do it all yourself, there's really no reason to re-invent things that have already been well engineered in existing modules. Because this is server-side code, there's really no penalty for using an already tested module that does what you want. So, my first recommendation would be to use Express and express-session. It does all the session management for you and will give you lots more time to work on the aspects of your project that will really help it succeed or fail.
And, THE top benefit of using node.js in the first place is being able to use the huge library of existing code available through NPM and Github.
Conceptually, here's how a session works in the node.js/web browser client/server world.
Incoming request from client to web server.
Server creates some sort of guaranteed unique cookie value and sets that as a cookie on the response.
Server also creates a serve-side session object and puts that object into some data store with the session cookie value as an index into that data store.
Now every time a future request arrives from that same client, it will be accompanied with that session cookie.
On each incoming request, the server can grab the session cookie value, use it as the key to look up the corresponding session object and get it.
Any request handler can then read data from the session object or write data to the session object.
In this manner you can keep data associated with a particular client secure and safe on the server and usable from one request to another.
If you're going to implement your own session system, you have to be able to create these unique session cookies and create some sort of session storage (can be anything from a Map object in memory to a database), implement session expiration and session store cleanup and then provide appropriate middleware or utility functions that makes it easy to use on any individual http request.
Super simple question that I'm having trouble wrapping my head around.
When using sessions with nodejs, are the sessions stored in the users browser? Or are the sessions stored on the server?
For example, if I'm using the express-session or passport.session(), where are these session cookies stored?
As #robertklep mentioned, sessions (in the way you're using them) are stored on the client, but only contain a session ID. When your request hits the web server, it'll then look up the session ID to grab the account from some sort of database / cache, then use it for the remainder of the request lifecycle.
If you're interested on learning more about this, you might want to check out this screencast I made a while ago which covers exactly how cookies work, and why -- as well as how to store them securely: https://www.youtube.com/watch?v=yvviEA1pOXw
Furthermore, if you're looking to build a site that doesn't use 'typical' server-side sessions, and works with modern client-side front-end web frameworks like Angular.js / React.js / etc., you might want to investigate JSON Web Tokens (JWTs). These tokens allow you to create 'dumb' cookies that don't require a database lookup on the server, and can speed up your web apps / API services pretty dramatically: https://stormpath.com/blog/build-secure-user-interfaces-using-jwts/
Hope this helps!
The fine manual states:
Note Session data is not saved in the cookie itself, just the session ID. Session data is stored server-side.
express-session sends a cookie to the browser (which stores it), which contains a unique session id. The data itself is stored on the server (depending on which session store you use, this can be in memory, Redis, MongoDB, ...).
The session id in the cookie is merely used as a key to look up the actual data in the session store.
I have a node.js webserver with express middleware. I am trying to eliminate the need to session stores for performance reasons. I dont track much as of now.
However, I do need to keep track of username and userid when a session is started after loggig in. I have implemented this using express res.cookie( ... ) which works if cookies are enabled. But it will not work if cookies are disabled.
so I was looking at req.session but that again uses cookieSession internally.
Q1: How can I keep track of username (once user has loggedin )
across multiple requests with cookies disabled in browser and NO-SESSION-STORE
(REDIS/MONGO etc)
Q2: In the solution for Q1 above, I want webserver to be stateless,
so it does not grow in memory at any point?
Is it possible? Does my question/requirement even make sense? I am new to this.
Essentially I am looking for an object other than cookie that can be part of request which will communicated every time request is sent/received
Please help
There are multiple avenues you could potentially take, since it sounds like you control the requester as well as the backend service.
HTTP Headers
Query String
Cookies
We know cookies are out.
With HTTP Headers, you can't always count on them unless you're making some kind of AJAX call.
Query strings require you to ALWAYS send back a user name or other identifier manually. However, it would solve Q1 and Q2.
Depending on what your app is, it might make sense to re-architect endpoints so that they are ReSTful and help define actions - that way it makes semantic sense to have a username as part of the request url.
For example:
GET http://example.com/:username => could display a profile
GET http://example.com/:username/friends => could display a list of friends.
Depending on how your app is designed, you might also be able to utilize websockets to handle user connections and auth.