0

I am new to nodejs/mongo so i ended up rolling my own session middleware because i didnt know about express-session-mongo.

In my middleware, i store the users id in the session (via express's session middleware), and then load the logged in user object on every request. I also allow the user to store their user/pass in an httpOnly cookie for a 'remember me' functionality.

The docs page for that npm leaves something to be desired.

My question is: what are the advantages of that module vs what i wrote? Am i doing something stupid? How is what they do better than what i do?

mkoryak
  • 57,086
  • 61
  • 201
  • 257

1 Answers1

1

Your technique is highly insecure. If I just need to know the ID of a user record in your database, and I can use that in my session cookie to become any arbitrary user, that's a massive vulnerability. Session IDs should be pseudorandom tokens that in and of themselves do not contain any data. They are just unguessable numbers used to look up data on the server side. They should also be unique for each session across time, which a user ID is not.

Peter Lyons
  • 142,938
  • 30
  • 279
  • 274
  • 1
    ok, fair enough, but i can easily change my implementation to fix this minor problem ;) - are you saying that this is the only detail that is different between what that module does and what i do – mkoryak Dec 26 '12 at 19:27
  • err, i just realized that i dont store the id in a cookie. i use express's session middleware and it probably does what you described :). – mkoryak Dec 26 '12 at 19:36
  • This will be my last comment. This is not a good fit for the S/O Q&A format. The answer is you should go read up about how web sessions need to work and why they work how they do. Storing the user/pass in a cookie is the kind of thing that destroys companies. These are not minor details, these are "and then we had an unrecoverable PR nightmare and our business shut down" details. Check out the Open Web Application Security Project. https://www.owasp.org/index.php/Main_Page – Peter Lyons Dec 26 '12 at 21:15