I know we can create session using Express JS using following,
express.session({ secret: 'secret' });
But I don't want to use any framework. Just only with Node-JS, how can we create session and maintain it?
I do it the following way. I store the session information retrieved from the form into the redis database. You can use something like the one given to store the session information.
var json= JSON.parse(body.toString());
exchange.addUserSession(redisClient,json.userID,json.sessionID,function(err, response){
console.log(response);
res.end(response.toString());
redisClient.quit();
});
And then something like this to actually store the session information in the database.
exports.addUserSession = function (redisClient,userId,sessionId,callback){
//add the user and its session in appsession hash map in redis
redisClient.hset('appsession',sessionId,userId,function(err,response){
callback(err,response);
});
};
Hope it helps
You can check out node-sessions. I have not used it, but after skimming it's home page it looks like you don't need to use any framework.
Related
I'm reading the Express framework docs, making my basic login/redirect page routes.
The following route accepts the submission:
app.post('/',function(req,res){
//console.log("USERNAME: "+req.body.username);
//console.log("PASSWORD: "+req.body.password);
res.redirect('/chat');
});
and this:
app.get('/chat', function(req, res){
res.sendFile(__dirname + '/templates/chat.html');
//console.log("request");
});
takes the user to a new page.
How do I send context? Should I be using res.render()? Neither function seems to contain an option for data like {username:req.body.username}. How should data be passed between routes?
Generally to handle logins with express you'd use something like passport's local strategy, which attaches a user object to the request object (req.user) for you for each route. I don't know that what you're trying will work in a larger context -- you'd need some kind of session-based middleware like express-session at the very least, so you can attach variables per session (I think it gives you req.session). By default, express has the capability to store information for one request/response cycle (res.locals) or for the entire instance of the app (i.e. for all users) (app.locals).
As far as getting data into views, you would use res.render with something like EJS, pug, or another view engine. For example, if in your route, you had something like:
route.get('/', (req, res) => {
res.render('template', { username: 'yourname' })
}
you can refer to that in your ejs template like so:
<h1>Hello, <%= username %>!</h1>
which will get sent back as this:
<h1>Hello, yourname!</h1>
So, to answer your question:
You would use res.render to get variables & data into your views
You don't share data across routes by default except app-level data that applies to all users, which can be set on app.locals
You can use authentication middleware like passport and session middleware like express-session to keep track of user information across routes per session.
Hope this helps! Good luck with express!
I learn node js. I got very simple app, where need to type query to videohostings. E.g. you type "cat" and page shows you video with some cat. Nevermind.
I use express, and I really can't understand how works sessions and cookies. I want make different sessions for each user. Sorry for my silly English, now I'll write it literally :D
If one user entered a query and he was given a video, the other user should not see the result of his query, i.e. it must have the same result
Because if I have already type the query and the video display, the same displayed on the other browser, it turns out that some kind of "common search".
Hope you understood, thanks for replies!
UPD,
There are taking query from input and put it to variable, that need for pug template to link to video that need to insert to page
app.post("/", function (req, res) {
if(!req.body) {
return res.sendStatus(400);
}
vk.request('video.search', {'q' :req.body.query}, function(_o) {
query = _o.response.items[0].player;
res.redirect('back');
});
});
You should use express-session.
After you have installed it you need to configure it like so:
const session = require('express-session')({
secret: 'your secret',
resave: true,
saveUninitialized: true
});
Afterwards you need to make sure your app uses it (app should be app = express()). To make the code use express-sessions you need to do app.use(session);
To access your sessions all you have to do when routing is get the session object from the request parameter.
In idea it would look like so for saving:
app.get('/', (req, res) =>{
req.session.yourvariable = 'foo';
});
To get the session variable its as simple as doing req.session.yourvariable
I am trying to store client session using raw node.js without express.
When a user logs in I have the username and password. Now, how to store a session in client browser using cookie. And how to identify the user when they refresh the tab or goes to another link.I don't want to use client-sessions module as I want to understand the approach.
any help will be appreciated.
First of all, I suggest you to watch everything about authentication in NodeJS It explains cookies in a part very well.
You have to give the browser some data to hold for it to use later, which being cookies. Browser uses this data to show the server what kind of authentications it has processed before for the server and the user to proceed without repetition.
In node.js, using client-sessions module, you can set a cookie by calling
app.post('/login', function(req,res){
User.findOne({password: req.body.userPassword}, function(err, user){
if(user){
req.session.user = user; //here you are setting the cookie for the client,
}
})
})
You could also specify what kind of cookie you want to set by just adding it a property
req.session.userEmail = user.email;
Now let's check how the server uses authentication
app.get('/someUrl', function(req,res){
if(req.session.user){
console.log("user exists!");
}
})
You can check what the client sends you by using session property of req object => req.session
To bind it with database you need to do,
if(req.session.user){
User.findOne({email: req.session.user.email}, func...)
}
So basically, with each request that client sends, this procedure is used by the server to identify the cookies and to make the web-app user-friendly with no repetition.
It is like giving every student an ID in a school for authentication.
Security
For security, the node module cookie-sessions encrypt data automatically when we add secret attribute in app.use() function. Please see using secret in client-sessions module
So what I'm trying to do is when someone loads my site, and gets authenticated by passport, their userId is stored in req.user.id in my app.get('/home', funciton(req, res). Now what I am trying to do in a way is this:
app.get('/home'. function(req, res){
io.on('connection', function(socket){
socket.emit('userId', req.user.id);
});
}
Thats essentially what I'm trying to do, but I know it is very wrong. Now my question is how can I get the req.user.id to the client so I can use it in future interactions with the server.
Looks like you're receiving a GET request and using Express right? You're probably passing the userid in the querystring, so you'll want to use:
req.query.userid
This basically pulls the value assigned to a key in the querystring.
Source: http://expressjs.com/en/api.html#req.query
I would also recommend sending something like ?userid=12345 in the querystring, rather than an object (user.id) in the querystring, as encoding an object will unnecessarily add more complications and not needed.
You can use express session with socket.io
There's a npm module called express-socket.io-session
I need help understanding the concept of sessions for a web application. I am running a Node.js server with Express 3.0.
My goals are to:
Create a session for each user that logs in
Store this session and use it for validating if the user is already logged in (prevent two devices using the same user at the same time) and to limit access to certain pages (by matching session ID to some other data)
I will be using MemoryStore to save the sessions (seems easiest). If the above goals make sense can you provide a thorough explanation of how to achieve them?
Express has nice examples in the github repo. One of them deals with authentication and shows how to attach the user to the req.session object. This is done inside the app.post('/login') route.
To limit access to certain pages add a simple middleware to those routes
function restrict(req, res, next) {
if (req.session.user) {
next();
} else {
req.session.error = 'Access denied!';
res.redirect('/login');
}
}
app.get('/restricted', restrict, function(req, res){
res.send('Wahoo! restricted area, click to logout');
});
As Brandon already mentioned you shouldn't use the MemoryStore in production. Redis is a good alternative. Use connect-redis to access the db. An example config looks like this
var RedisStore = require('connect-redis')(express);
// add this to your app.configure
app.use(express.session({
secret: "kqsdjfmlksdhfhzirzeoibrzecrbzuzefcuercazeafxzeokwdfzeijfxcerig",
store: new RedisStore({ host: 'localhost', port: 3000, client: redis })
}));
Use MemoryStore in express ONLY if you are not creating multiple instances (such as with the cluster module). If you are load balancing across machines, your load balancer will need to use sticky / persistent sessions.
If you meet those requirements, then all you need to do is upon login, once the credentials are validated, set a session variable to indicate logged in, for example:
req.session.loggedIn = true;
If you want to check if a user is logged in, simply check that variable.
if (req.session.loggedIn) {
// user is logged in.
}
else {
// user is not logged in.
}
You mentioned preventing a single user from having sessions more than one session at a time. To achieve that, you may need to store something in a database indicating that the user is logged in. I warn you, this can be dangerous because of stale sessions. For example, what if a user logs in, but never logs out? What if they close their browser window so the session is gone forever?
Express has no concept of an idle session expiration. I have implemented such a thing by storing all sessions in the database along with a last accessed timestamp and then periodically clean up the session data based on the time. But then you need to update your list of who is logged in as well.