This is a simple way how to handle session through encrypted cookies. In this implementation, entire session information is preserved through secure cookies and system does not have any reliance on memory or other data store. You can restart your application or scale out to any number of servers and all will be able to function properly.
First you need to install this module.
npm install session-se
Then, you need to add middleware to your pipeline.
const session = require('session-se');
app.use(session({
cookie: { name: 'myapp_sid' },
secret: 'mdflkebfiasdfjfjed#$sd',
duration: 20, // 20 minutes
expiration: 8*60 // 8 hours
}));
There are two scenarios:
For the first one, we need to send code 401 and redirect user to login.
const authorize = (req, res, next) => {
if (req.user)
next();
else
res.status(401).redirect('/login');
};
In the second one, we should not redirect but just send code 401 Unauthorized.
const authorizeApi = (req, res, next) => {
if(!req.user)
res.status(401).end('Unauthorized');
else
next();
};
So, when you need to authorize some middleware, just add your function this way:
// Adding something that does not need authorization
app.use('/', usersRouter);
// Adding some UI that needs authorization
app.use('/secured-something', authorize, securedReouter);
// Adding some API that needs authorization
app.use('/api', authorizeApi, apiRouter);
This is an example, your case can differ. I created a router named login.js;
const express = require('express');
const router = express.Router();
router.get('/login', (req, res) => {
res.render('login');
});
router.get('/api/logout', (req, res) => {
req.registerUser(null);
res.status(200).send('Done');
});
router.post('/api/login', async (req, res) => {
if(req.body.username === 'myunsername'
&& req.body.password === 'MyPassword') {
await req.registerUser({ name: 'Dr Jekyll' });
res.status(201).send('Created');
}
else
res.status(401).send('Authentication Failed');
});
module.exports = router;
P.S. Do not forget that login should be available without authorization or you will end up in a loop.
| Name | Description | Default |
|---|---|---|
secret | Encryption secret REQUIRED | N/A |
secretSalt | Encryption secret salt | safawo$lfnfrn34r-fac |
duration | Session duration in minutes | 20 |
expiration | Absolute session expiration in minutes | 480 (8 hours) |
cookie.name | Cookie name | sid |
cookie.httpOnly | Cookie httpOnly flag | true |
cookie.secure | Cookie secure flag | false |
cookie.domain | Cookie domain | null (meaning it will set current domain) |
cookie.path | Cookie path | / |
FAQs
This is a simple way how to handle session through encrypted cookies.
The npm package session-se receives a total of 0 weekly downloads. As such, session-se popularity was classified as not popular.
We found that session-se demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.