Closed CorrM closed 5 days ago
Never put your user password in the session, I has to hashed and put in database and never sent back.
rhe NUXT_SESSION_PASSWORD is used for encrypting the cookie and has nothing to do with your user credentials.
what about validation? i can trust that cookie data? i mean in the same way JWT work?
like i can make sure the username
in the cookie are not changed and that user are really logged in so i can do something like db find by username which comes from cookie?
@CorrM Yes, you can trust cookie data. Cookie session are encrypted using NUXT_SESSION_PASSWORD
so any one cannot view, edit or create the token without NUXT_SESSION_PASSWORD
. It works like JWTs but difference is JWTs are not encrypted so anyone can view the data stored inside JWTs.
Thanks, guys all my questions are answered.
maybe add that into FAQ section or something like that would be nice
How safe is putting user password in user object. Is there a validation happens when call
getUserSession
? so if client-side changed it will fail? What is the purpose ofNUXT_SESSION_PASSWORD
? validate client data when reach the server? Why in the examplepassword
is saved in the session? https://github.com/atinux/nuxt-auth-utils/blob/23ccd4c1ea62043ec2f25d7bf61d1e57389b7dbb/playground/server/api/login.post.ts#L10-L15