Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Working with Sessions in Express.js

I need help understanding the concept of sessions for a web application. I am running a Node.js server with Express 3.0.

My goals are to:

  • Create a session for each user that logs in

  • Store this session and use it for validating if the user is already logged in (prevent two devices using the same user at the same time) and to limit access to certain pages (by matching session ID to some other data)

I will be using MemoryStore to save the sessions (seems easiest). If the above goals make sense can you provide a thorough explanation of how to achieve them?

like image 733
cesarcruz91 Avatar asked Jan 08 '13 15:01

cesarcruz91


People also ask

How do Sessions work in express?

Overview. Express. js uses a cookie to store a session id (with an encryption signature) in the user's browser and then, on subsequent requests, uses the value of that cookie to retrieve session information stored on the server.

What is session in express js?

Advertisements. HTTP is stateless; in order to associate a request to any other request, you need a way to store user data between HTTP requests. Cookies and URL parameters are both suitable ways to transport data between the client and the server. But they are both readable and on the client side.

How do I store session data express?

We can use the express-session package to keep session cookie data on the server-side. There're many options like the content of various cookie attributes and the time to expiry. Other settings like the ID, whether to save cookie only in HTTPS and so on can be set. The cookies will be stored in a session store.

Is express session good for production?

The express-session middleware stores session data on the server; it only saves the session ID in the cookie itself, not session data. By default, it uses in-memory storage and is not designed for a production environment.


1 Answers

Express has nice examples in the github repo. One of them deals with authentication and shows how to attach the user to the req.session object. This is done inside the app.post('/login') route.

To limit access to certain pages add a simple middleware to those routes

function restrict(req, res, next) {   if (req.session.user) {     next();   } else {     req.session.error = 'Access denied!';     res.redirect('/login');   } }  app.get('/restricted', restrict, function(req, res){   res.send('Wahoo! restricted area, click to <a href="/logout">logout</a>'); }); 

As Brandon already mentioned you shouldn't use the MemoryStore in production. Redis is a good alternative. Use connect-redis to access the db. An example config looks like this

var RedisStore = require('connect-redis')(express);  // add this to your app.configure app.use(express.session({   secret: "kqsdjfmlksdhfhzirzeoibrzecrbzuzefcuercazeafxzeokwdfzeijfxcerig",   store: new RedisStore({ host: 'localhost', port: 3000, client: redis }) })); 
like image 176
zemirco Avatar answered Sep 19 '22 09:09

zemirco