0

Is it safe to use expess-session without any tokens for user authentification in an AngularJS spa?

Can the user modify the session client-side anyhow?

On login theres a post request with the credentials (email, password)

connection.query( 'SELECT username, password, emailCode FROM `user` WHERE `email` = ?', [ email ], function ( error, results, fields ) {
    if( error ) console.log( error );
    if( !results.length ) return res.json( { err: 'Invalid password or email address' } ); // invalid email
    if( !bcrypt.compareSync( password, results[ 0 ].password ) ) return res.json( { err: 'Invalid password or email address' } ); // invalid password
    req.session.username = results[ 0 ].username;
    req.session.email = email;
    req.session.loggedIn = true;
    res.json( { username: req.session.username, msg: 'Successfully logged in' } );
} );

In the express routing theres a loggedIn check like this:

app.get( '/views/user/:name', function( req, res ) {
    var name = req.params.name;
    if ( typeof req.session.loggedIn !== 'undefined' && req.session.loggedIn ) {
        return res.sendFile( 'views/user/' + name, { root: __dirname + '/public/' } );
    } else {        
        return res.sendFile( 'views/error.html', { root: __dirname + '/public/' } );
    }
} );

Every client-side needed data is requestet via http get and returns user informations or anything else if req.session.loggedIn is true

It seems to work fine, but is it secure?

mcode
  • 456
  • 5
  • 18
  • 1
    what do you mean "without token"? the sessions have a token don't they? how else would they be re-aligned later? tokens are generally ok, but you should require a password for important stuff like changing the password. as is, anyone with the cookie can impersonate the user associated with the cookie. – dandavis May 24 '16 at 20:05
  • 1
    watch https://www.youtube.com/watch?v=tso5rhzQYBc for the ups and downs of relying on cookies. – dandavis May 24 '16 at 20:11

1 Answers1

2

Depending on what session store you have configured with your application, information regarding the data stored in the session can be sent to the client or not. That is - if you use cookies to store sessions, then some info will be on the client, but these are signed cookies and it's not possible for the user to tamper it as long as they don't know the secret used to sign them which is defined on the server.

Community
  • 1
  • 1
Tudor Constantin
  • 26,330
  • 7
  • 49
  • 72
  • 1
    signed cookies don't provide secrecy, only integrity. any application on the device can read the cookies in plain text from a folder on the storage... – dandavis May 24 '16 at 20:07
  • @dandavis - have I said something different? – Tudor Constantin May 24 '16 at 20:09
  • So it is secure because I just send informations like email, username etc. to the user if he is logged (req.session.loggedIn) in and if req.session.email match the database? – mcode May 24 '16 at 20:14
  • 1
    i'm just rounding out the answer as it relates to the (rather subjective) question of "is it safe"? so, while a cookie may be intact (non-altered), it might not be _authentic_, and thus i would say, not "safe". Express could improve this by folding something like remote IP into the hash, but that poses a problem for cell phone roaming... – dandavis May 24 '16 at 20:14
  • yeah.. whats the common way to handle the user authentification? before I used the session way I used randomly generated tokens on login and transfer it once to the user, on each http request I send & compare them serverside but I thought this is the light way :-) – mcode May 24 '16 at 20:16
  • 1
    if the cookie is intact, its assumed it's also authentic, because it can't be signed by a malicious user without knowing the secret from the server side. – Tudor Constantin May 24 '16 at 20:16
  • Would it improve the security if I add a token (randomly created on login) and send this token once to the user -> store it as a cookie (ngCookies) and send it back on each http request? – mcode May 24 '16 at 20:20
  • @mcode - no, in my opinion it will not improve security, it will only increase your app complexity. Where will you store that token on the server in order to check it against the token received in the request? will you allow multiple sessions for the same user? where will you store all the tokens? how/when will you invalidate those tokens? – Tudor Constantin May 24 '16 at 20:23
  • 1
    @mcode - think of it this way - there are thousands of NodeJS sites that use signed cookies as session stores - do you think that they'd still use them if they weren't secure? – Tudor Constantin May 24 '16 at 20:25
  • Well,tokens are saved in the database on creation (login) and compared with the database on each request. Multiple sessions would be possible with this method (sessions stored in another table (its mysql)) but I think a single session is enough for everyone. But this method will, as you said, increase the complexity and decrease the speed of the application. I was'nt sure because I'm new to the node.js stuff (PHP over years before) that's why I ask, but yeah thanks than it sounds secure :-D – mcode May 24 '16 at 20:27
  • 1
    it's going to be as safe as anything else, which is to say "enough" and "not very" at the same time. it all depends on the security of the client machine and how it prevents outside apps from seeing the cookies. only safari does a half-way decent job at that... – dandavis May 24 '16 at 20:30
  • 1
    if you still don't feel comfortable with the signed cookies there is the possibility to use redis as a session store: https://www.npmjs.com/package/redis-sessions – Tudor Constantin May 24 '16 at 20:31
  • 1
    @dandavis - that's an interesting perspective - but, if a malicious app can access the signed cookies, it can also access the tokens used for identification and make requests in the name of the user – Tudor Constantin May 24 '16 at 20:33
  • If any maicious app can get the access I think it's not my problem anymore, everyone should leave theyre computer clean :-D Redis looks also nice. Thank you guys! – mcode May 24 '16 at 20:37
  • @TudorConstantin: that's my whole point, cookies are not stored protected client-side. from the view of the web (eg other sites), the browser protects them a lot, but from the view of even an unsigned exe (no UAC to install), they are out in the open. so what to do? as a web dev, refer to the "serenity prayer" for guidance. – dandavis May 24 '16 at 20:39