How to create a secure express.js + mongodb user authentication system

StackOverflow https://stackoverflow.com/questions/22179759

  •  05-06-2023
  •  | 
  •  

Question

I am in the following situation at the moment: I have created a user authentication system using the following technologies:
expressjs (using sessions and cookies)
mysql (to keep the user name and the password)
mongodb for persistent session storage

The aim is to create system that will store a userid in a cookie, and based on that allow access or not.

First question. If I understand correctly how the sessions work, is that every time a user visits my website (logged in or not), she/he will create a new session id using the express session mechanism which is going to be stored in req.sessionID.

The problem now. On the login page:
User enters a user name/password.
I make a request to mysql server, confirm both username/password. Now, from the examples I have found online, a solution to do a simple user authentication is to do something like this:
req.session.user=username
Then later on check if the req.session.user is set, and based on that allow access to the user etc. However, for my website, the user's username, is the user's email. Is it safe to store in a cookie value amd in plain text the user's details, even if it is for authentication purposes?

What other options are available? Can I encrypt the username before storing in the database with bcrypt, and use that?

Thanks in advance.

A

No correct solution

OTHER TIPS

  1. Set you session cookie options to be httpOnly and pass long enough string to secret.
  2. Your req object has not only sessionID property but also session object. This object is stored in Mongo (or whatever session storage you pass to express) and it's contents is not available for your clients. So you can securely store whatever info you want here.

Behind the scenes Express checks that session key (the only part of the session available to the client, you can prove this checking resources tab of Chrome devtools) matches current session. If someone tries to forge session key Express will notice this. Actually, Express uses Connect middleware, so you may want to skim this for more details http://www.senchalabs.org/connect/session.html

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top