I am creating node.js app using express, everyauth and now.js.
I have a server-side now.js function in which I want to be able access the 'User' object for the authenticated user calling this function. I dont have access to the a 'request' or 'session' object, I only have the user cookie and connect.sid
My question is, whats best way to get the session information I'm looking for? Do I store these details in the cookie when the original page request comes in? Or Is there a way to get the session object from the connect.sid?
Thanks
To solve this I created a Memory Session store, which I passed in when creating the Express App. Which allows me to access the session store
When a server-side nowjs function is called I use the connect.sid to retrieve the users session from the session store. This session then has all the authenticated users details.
Related
I'm trying to get the userId inside the websocket listener i've done a ton of google searches about the topic but without any progress.
I'm using passport ,express-session packages.
Please be more specific regarding user ID's. I see you are using passport to implement your session authentication. What particular passport authentication are you using? Passport Google Auth, passport Discord etc., there are plenty. Generally, the session data is what you are looking for if the user id is stored that way.
The session cookie or session store will contain the authentication data you are looking for. If you are using express-session, this information can be obtained by looking at the "req.user" aka Request user. Whatever you store for session data will come up in the req if the user is authenticated through Passport.
I'm using node/express.js with cookie-session in my application.
Currently, when a user logs in a cookie is stored in their browser with a value, for example: session: ABC123. If the user logs out, the cookie is deleted. When the user logs back in, the same cookie and value are stored in the browser session: ABC123.
I am getting the same session user_sid whenever i login.
i want to randomize the session user_sid every time the user logs in.
There is no notion of a session id with the cookie-session package.
In the typical scenario where the session data is stored on the server, a session id is generated that maps to a given user session data. This is this session id that is kept in the session cookie.
With the cookie-session package however, the session data itself is stored in the cookie - as opposed to on the server -, so there is no need for such a mapping or a session id at all. So in effect and unless the session data is actually updated from one session to another, the session cookie will be the same.
You want to call session.regenerate() when the user successfully login, that will do what you want and also address session fixation attack
I am trying to get the nodejs adapter to working with my Express application and am getting issues after an authorisation code is returned for a user and then a subsequent request is made to exchange this for an access token.
Through some debugging of the library it seems the redirect_uri being sent in the subsequent request is blank, and when adding a breakpoint and inspecting the below code, I can see a session object is present, but there is no auth_redirect_uri property present
Watching the initial request when authorising the user, I can see the redirect_uri is present in the request query params.
So I can only think for some reason this is not being parsed out by the nodejs adapter after the user has been authorised and then persisted to the session object.
My express application does use the express-session middleware which I have configured to save sessions to a mongoDB. I then use my configured session store with the keycloak middleware configuration, in the same way as per this example
Can anyone offer any thoughts on what may be happening here?
Thanks
As far as i studied so far from stackoverflow answers regarding making sessions persistent after server restart.
There are 4 possible ways which i considering to do with my mean app.
cookie-Sessions https://www.npmjs.com/package/cookie-session
using Json web tokens (JWT) https://www.npmjs.com/package/jsonwebtoken
using connect-mongo/connect-redis
passport.js
Now my doubt is if i will restart my server in mongo and redis . session will still be there as they are external data stores.
but how to make my session persistent using JWT and cookie sessions.
where are these session variables are stored.
In case of passport.js the solution which i came across is to make session persistent is to store session data in connect-mongo/connect-redis.
is there any other way in passport to make sessions persistent?
If you store session at external storage, then after restart it should be available.
Passport is not responsible for sessions. You setup session independently from passport in express. Passport is authentication middleware with strategy to use your session.
you setup express session:
app.use(express.session(session options));
and after that you init and setup passport to use session:
app.use(passport.initialize());
app.use(passport.session());
It means that regardless of whether you use passport or not, session configuration will be the same.
there are few ways to make sessions persistent:
Most of them store session in db or in file system (memory storage is appropiate only in dev env). Please look at this npm search list link.
List of Compatible Session Stores from official express-session page https://github.com/expressjs/session#compatible-session-stores
Jwt token, if properly implemented, is stateless. It means that your server does not storage any session data, It doesnt know how many sessions are valid. It authorize request if it have valid jwt token.
Jwt token can store some data, like your user id. When your server receive token, it decode it and validate, then you have access to data from this token. Please read this article for more details :
https://stormpath.com/blog/jwt-the-right-way/
Most important parts (there are more important things, butthese are sometimes forgotten):
Always verify the signature before you trust any information in the JWT
and:
Do not contain any sensitive data in a JWT
Please look at this module for maintain jwt:
https://www.npmjs.com/package/json-web-token
or even for some hybrid solution module (redis session with jwt token):
https://www.npmjs.com/package/jwt-redis-session
I use a pyramid and i need logout all users from my site. Currently i cant find any place where are sessions wrote. There is nothing written in pyramid documentations about this situation so is any way to do that?
This depends on the authentication backend you're using. If the backend stores the session somewhere, you can just clear that somewhere.
If you're using a backend that stores the session in a cookie, like AuthTktAuthenticationPolicy, then the cookie is signed with a secret that present in your configuration. Changing this secret would invalidate all cookies, effectively logging out all users.
Change your session factory settings, such that request object return the session after calling its session.clear method.