Open jcyh0120 opened 7 years ago
I also realized that sessions are always in use, even when set to false in the strategy options. This is an issue, right ?
Bit of a late answer but as reference for everyone else:
The sessions
option described int he readme appears to be wrong (see PR to fix this).
It needs to be added to the passport.authenticate
middleware initialization instead (source):
app.post('/login', passport.authenticate(['local'], {
session: true
/** other options **/
}), (req, res) => {
/** your handler */
})
Same here https://github.com/jaredhanson/passport-local/issues/155
session: false has to be in
passport.authenticate('local', {session:false})
I tried this example code passport-local-example and applied parameters to local strategy.
However, it seems that session is still in use. I could get user's password from req.session.user.
Only username , password, callback are set in this lib.
I don't have experience in security. Is it correct that I could get user's password in req.user.password? Will this be unsafe?