4

I have a requirement to create a session only after successful authentication.

I was able to create redisStore based session using express middleware, but it creates session when the first request comes to server.

But how I can create session only after successful authentication. I googled somewhat, and foundreq.session.regenerate() (but I found the issue as below mentioned in this thread: Regenerate session IDs with Nodejs Connect)

But in regenerate case also, it creates a fresh one, assuming old one is created already, and is created with same parameter.

So there is any other way to create a new session ID only after successful authentication..?

Community
  • 1
  • 1
user1887432
  • 253
  • 1
  • 3
  • 10

2 Answers2

3

You may be conflating the idea of a session with the idea of an authenticated session.

It's normal for all users to have a session - even the anonymous, not-yet-logged-in users. The difference between this and an authenticated session is just that, locally on your web server, you specify that a particular user has been authenticated.

For example, once you authenticate someone, you can set:

req.session.isAuthenticated = true;

Then, when rendering pages, your controllers can do something like

function(req, res, next) {
  if (!req.session.isAuthenticated) return res.redirect('/login');
  res.render('appPage');
}
hunterloftis
  • 13,386
  • 5
  • 48
  • 50
  • I was also having same myth that server should not create session object unless not authenticated. Thanks for sharing your expertise. Really very helpful. – joy Aug 01 '15 at 20:54
  • That is not a myth. For example somehow hackers inject some scripts and were able to get not logged in session. Then after some period of time user authenticate that session. And if it done wrong (without session regeneration or even no session creation until authentication) then hacker already have sessionID value that now are valid and can use this hole. – Romick Jun 22 '17 at 12:12
2

This might not be the exact answer you're looking for, but I'll answer the title for future readers:

From experimenting with my application, I've noticed that express-session sets the session cookie only if you manipulate the session object.

For example consider the below code:

app.post('/login', function (req, res) {
  var authenticated = false;
  if (req.session.authenticated) {
    // session cookie is already set
    authenticated = true;
  } else if (/*validate the user here*/) {
    console.log(' authenticating');
    authenticated = true;
    // if below line executes, the response will have Set-Cookie header
    req.session.authenticated = authenticated;
  }
  res.json({
    status: authenticated
    //if --^ false, no session cookie will be set since we didn't manipulate session object
  });
 });

Even though a request creates a session object in memory for us to use, the Set-Cookie header seems to be sent only if we manipulate (or tamper with?) the session object created.

Unless we sent the Set-Cookie header along with the response and session id is stored in cookie at client side, I wouldn't consider it as an established session and worry about it.

Hope it helps.

Side note: This is the case of a cross-domain ajax request, might be different for normal http request, perhaps someone can confirm this

T J
  • 42,762
  • 13
  • 83
  • 138