Sunday 28 May 2017

How to securely determine if user is logged in using client-session

I'm using this package for user sessions: https://www.npmjs.com/package/client-sessions

Logging in is going great, but I'm not sure if I'm checking that my users are logged in correctly and securely. I believe the sessions are encrypted, but it seems like just checking if(req.session && req.session.user) is insufficiently secure. Is this the right way to check if a user is logged in? To be clear, users are being logged in and kicked out after the 30 minutes I've indicated, but I'm not much of a hacker and I don't want people just modifying their cookies to get into other users' accounts.

var session = require('client-sessions');

app.use(session({
    cookieName: 'session',
    secret: config.secret,
    duration: 30 * 60 * 1000,
    activeDuration: 5 * 60 * 1000
}));

router.get('/', function(req, res, next) {
if(req.session && req.session.user)
    return res.redirect('amazingpage');
else
    res.render('index');
});



via Glen Pierce

No comments:

Post a Comment