-
By default an HTTP request cannot remember or keep track of what requests came before it.
-
But sometimes its necessary for both the client and server to remember the state when sending requests and returning responses(eg: when a user is logged in).
-
Last week we talked about stateful vs stateless authentication, and we implemented stateless authentication with JWTs.
-
the user's state(in our projects this was logged_in=true) is stored in the JWT on the CLIENT SIDE
- It VERIFIES that these details have not been tampered with (the state is never stored on the server)
- The other way to do this is by storing the client's state(logged_in boolean or anything else really) on the SERVER
- A session id(which is usually a string or a number) is sent as a cookie to the client
- The session id is a reference to the state data, remember that this data is stored on the server
- Every time the client makes a request, the session id is sent as a header, and the server looks for the user state matching that session id.
- A way to identify the source of a request
- And provide the corresponding responses.
Cookie-session is a simple / lightweight cookie-based session implementation.
This module stores the session data on the client within a cookie, while a module like express-session stores only a session identifier on the client within a cookie and stores the session data on the server, typically in a database.
- does not require any database / resources on the server side, though the total session data cannot exceed the browser's max cookie size,
- can simplify certain load-balanced scenarios,
$ npm install cookie-session
var cookieSession = require('cookie-session')
var express = require('express')
var app = express()
app.use(cookieSession({
name: 'session',
keys: [insert secret keys]
}))
app.use(function (req, res, next) {
var n = req.session.views || 0
req.session.views = n++
res.end(n + ' views')
})
app.listen(3000)keys refer to secrets to sign your cookie with. cookieSession automatically generates your sessiondata, signs it with the secret, and stores it in a global session object
Stateful session management, so only user identifier (session id) is stored in a cookie and actual session data is stored in one of the storage options.
requires a secret, and the sessionid is signed(encrypted) before setting the cookie, and decrypted when the server is checking for a session.
cont session=require('express-session')
app.use(session({secret:'fac17'}));express-session middleware inserts another object into req object called session, that will be available for each request
We can manipulate like any other object
req.session.whatever='you want';
by default MemoryStore but there are others include: session-file-store, express-mysql-session, connect-redis
const session=require('express-session');
const fileStore=require('session-file-store')(session)
app.use(session( { secret:'fac17', store:fileStore( {path:'./sessions'}) }))- It creates a new session for the user
- Assigns them a cookie
- Next time the user comes
- The cookie is checked
- The page_view session variable is updated accordingly
const express = require('express');
const session = require('express-session');
const app = express();// initiate session middleware
app.use(session({secret: "Shh, its a secret!"}));
app.get('/', function(req, res){
// req.session is preserved between requests
if(req.session.page_views){
req.session.page_views++;
res.send("You visited this page " + req.session.page_views + " times");
} else {
req.session.page_views = 1;
res.send("Welcome to this page for the first time!");
}
});
app.listen(3000);
Now if you run the app and go to localhost:3000, the following output will be displayed.
If you revisit the page, the page counter will increase. The page in the following screenshot was refreshed 42 times.
manage-session-using-node-js-express express session The polyglote deveoper
https://flaviocopes.com/express-sessions/
https://dzone.com/articles/securing-nodejs-managing-sessions-in-expressjs