javascript - Node.js req.session for storing user info -

this may or may not noob question have been working node.js quite while, wondering how safe use req.session statement.

i'm developing web app backend in node.js, , frontend in angular.js. backend i'm using req.session check whether or not user admin. know req.session strictly bound requesting party. how safe actually? spoofable , on...

for example, i'm using code @ logging in:

req.session.user = new user(); req.session.user.isadmin = user.isadmin;

etc...

so i'm wondering if multiple users using backend @ same time, first, won't ever occur node.js mix things up, , second, method spoofable or hack proof?

an express session uses cookie connect browser session. session can hacked either hacking server (to steal or modify data arrives on server), breaking login system (to impersonate other user) or stealing cookies after login.

the session on server (or anywhere server might store it). session not exchanged client. cookie serves index session exchanged client. client presents cookie in each subsequent request , allows node.js identify user , lookup session object user (in server session store). so, session secure cookie , session store. if can grab cookie or break store, can impersonate logged in user or directly access session data.

as such, overall security depends on these things:

how safe login process being hacked?
how safe server , server data intruders?
are using appropriate https transport , server certificates protect cookies in transit.
is end-user's computer secure cookies can't stolen , used impersonator before expire?
are using appropriate expiration dates on login cookies lessen chances of compromised cookie being used else?

the login system weak link. if aren't requiring strong credentials or users aren't protecting credentials, others can in, isn't session security.

if server not safe hackers, folks can break in either intercept cookies or perhaps worse things compromise server or session.

if not using https appropriate safeguards, cookies can stolen in transport (particularly on non-secure wifi) , stolen cookies can used impersonate users , access data or carry out actions user allowed do.

if end user's computer not secure, may able physically use computer or may able steal cookies used impersonator before expire.

if above things done well, express sessions quite secure , use same type of cookie-based session scheme google, facebook, wells fargo, b of a, etc... use login sessions.

so i'm wondering if multiple users using backend @ same time, first, won't ever occur node.js mix things up?

node.js never mix things up. node.js code has make sure never mixes things because there can multiple requests in process @ same time. but, each request has own req , res object long accessing session via req object , aren't putting session data variables might accessible other requests running @ same time, never mixed up. so, on code not causes concurrency problems. node.js , express sessions not have own concurrency issues. safe in regard.

and second, method spoofable or hack proof

see above discussion.

Thr

Search This Blog

javascript - Node.js req.session for storing user info -

Comments

Post a Comment