NodeJS - Framework for stateless sessions?

About

Asked 31/7, 2013 at 23:15 Answered 4/8, 2013 at 17:32

Solved node.js express geddy stateless-session

Is there a framework to support fully client-managed sessions? In other words, instead of storing just the signed pid in the cookie (as Express does), store all context... so that you can manage state across clusters without the requirement to persist.

Clarke answered 31/7, 2013 at 23:15 Comment(4)

The session contains private user information meant for server only. Sending the whole session back to user is not good. It can be tampered with by the client. Fully client-managed session is a bad idea. – Ellerd 1/8, 2013 at 4:14

@user568109, this is a common pattern and can be done securely. cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf – Clarke 4/8, 2013 at 20:39

The secure cookie protocol is about securing the connection between browser and server from third party. The common pattern you mention is the HTTP-only cookie, which are managed solely by the browser so that user cannot modify it. – Ellerd 5/8, 2013 at 4:18

At the end of the day, after auth, you keep session by retaining a token on the browser that provides access back into the system. In the case you advocate for, there is also a pointer (pid) to a transaction that is persisted on the server. The only difference in what I am doing is that in addition to pid, there is a bit of data (same data that would be accessed by using your pid), stored on the client in a secure fashion. – Clarke 5/8, 2013 at 5:2

There is express middleware which supports this:

https://github.com/expressjs/cookie-session

cookieSession()

Provides cookie-based sessions, and populates req.session. This middleware takes the following options:

name - cookie name defaulting to "session"
keys - list of secret keys to prevent tampering
secret - used as single key if keys are not specified
options - additional options such as secure, httpOnly, maxAge, etc.

Middleware:

var cookieSession = require('cookie-session')
...
app.use(cookieSession({
    name: "my_session_cookie",
    secret: "dont_tell_anybody_the_secret_and_change_it_often",
    options: { ... }
));

app.use((req, res, next) => {
    // set options on req.session before your response goes out
    req.session.viewCount = (req.session.viewCount || 0) + 1;
    res.end(`You viewed the page ${req.session.viewCount} times.`);
});

To clear a cookie simply assign the session to null before responding:

req.session = null

Clarke answered 4/8, 2013 at 17:32 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags