Closed aprilmintacpineda closed 6 years ago
seanmonstar
commented
6 years ago This library stores the session directly in the cookie (so, it's a client-session :D). It does this by encrypting and signing the cookie contents. The point of the library is to allow you to store verified user state with the user, and not in a database.
aprilmintacpineda
commented
6 years ago @seanmonstar makes sense, but is it still safe to do that? I used this for csrf protection for a mobile app, and most likely for a web app as well.
seanmonstar
commented
6 years ago We used it for the session management in Persona (BrowserID). You manage some secrets in your app to do the encrypting and signing. The data is encrypted, so a user shouldn't be able to read what it actually says. And it is signed, so a user shouldn't be able to try to just randomly change the data and hope it decrypts, since the signature will be broken.
A downside though, is that this Cookie header is sent with every request, so be careful to not store large amounts of data in it.
Forgive my ignorance. I'm quite new to nodeJS. So I saw a different library that handles session as well, it uses either redis or mongoDB for storing the sessions. Now I thought it was brilliant but this library is a lot more robust. I was reading the docs included at npm but I couldn't find where you store the session, I also couldn't figure it out by reading the codes as I am not familiar with all the modules that you used. Would you be so kind to elaborate how and where you store the sessions? Thanks in advance.