How safe is putting user password in user object

[CorrM]

How safe is putting user password in user object. Is there a validation happens when call getUserSession? so if client-side changed it will fail? What is the purpose of NUXT_SESSION_PASSWORD? validate client data when reach the server? Why in the example password is saved in the session? https://github.com/atinux/nuxt-auth-utils/blob/23ccd4c1ea62043ec2f25d7bf61d1e57389b7dbb/playground/server/api/login.post.ts#L10-L15

[atinux]

Never put your user password in the session, I has to hashed and put in database and never sent back.

rhe NUXT_SESSION_PASSWORD is used for encrypting the cookie and has nothing to do with your user credentials.

[CorrM]

what about validation? i can trust that cookie data? i mean in the same way JWT work?

like i can make sure the username in the cookie are not changed and that user are really logged in so i can do something like db find by username which comes from cookie?

[anuragkumar19]

@CorrM Yes, you can trust cookie data. Cookie session are encrypted using NUXT_SESSION_PASSWORD so any one cannot view, edit or create the token without NUXT_SESSION_PASSWORD. It works like JWTs but difference is JWTs are not encrypted so anyone can view the data stored inside JWTs.

[CorrM]

Thanks, guys all my questions are answered.

maybe add that into FAQ section or something like that would be nice