I'm using this package for user sessions: https://www.npmjs.com/package/client-sessions
Logging in is going great, but I'm not sure if I'm checking that my users are logged in correctly and securely. I believe the sessions are encrypted, but it seems like just checking if(req.session && req.session.user)
is insufficiently secure. Is this the right way to check if a user is logged in? To be clear, users are being logged in and kicked out after the 30 minutes I've indicated, but I'm not much of a hacker and I don't want people just modifying their cookies to get into other users' accounts.
var session = require('client-sessions');
app.use(session({
cookieName: 'session',
secret: config.secret,
duration: 30 * 60 * 1000,
activeDuration: 5 * 60 * 1000
}));
router.get('/', function(req, res, next) {
if(req.session && req.session.user)
return res.redirect('amazingpage');
else
res.render('index');
});
via Glen Pierce
No comments:
Post a Comment