session icon indicating copy to clipboard operation
session copied to clipboard

Published 20 hours ago verified publisher icon expressjs

Cookie less version?

Open olalonde opened this issue 8 years ago • 8 comments

I have a cookie-less API (which uses JWT for authentication) for a single page app and need a session store for the passport-oauth1 module (unfortunately, that module requires a session store to work). I was wondering if I could instead base the session store on a req.query.session_id query parameter instead of storing the session id in a cookie. Is there any module that behaves like express-session but which will retrieve the session id from an url rather than a cookie?

olalonde avatar May 26 '16 20:05 olalonde

There is a pr which will help do exactly what you are asking but we have not pulled it yet #159.

gabeio avatar May 27 '16 00:05 gabeio

@gabeio thanks

olalonde avatar May 27 '16 03:05 olalonde

what is the latest art on this? I don't believe we ever landed an RFE that will address this.

gireeshpunathil avatar Oct 29 '19 06:10 gireeshpunathil

Is there someway we can support JWT instead of cookie? I was working on a project where we have to support clients other than web browsers and was looking to use JWT to store session id. I was wondering if there is some way I can use express-session together with JWT for the purpose.

jilvin avatar Apr 15 '20 06:04 jilvin

Hi @jilvin , can you not decode your JWT and just call the .get method on the store you're using to retrieve the session and .set to set it again?

dougwilson avatar Apr 15 '20 07:04 dougwilson

@dougwilson Thanks for replying really fast. Appreciate it.

Yeah we were thinking of proceeding that way. But since this is one of the core part of our system as a whole we were thinking it would be better if we could use something really battle tested like express-session. We do not want to roll out creepy security bugs especially in something as critical as authentication. That's why I was trying to integrate express-session together with jwt instead of cookies.

I hope you might be able to provide more insights regarding this. Thanks in advance.

jilvin avatar Apr 15 '20 07:04 jilvin

Gotcha. So the main part of authentication / security would be in your JWT handling; a cookie-less version of this module wouldn't help in that regard, as securing your JWT would end up falling to you a implementation-specific details. For example, JWTs can be constructed in any way, signed or not, encrypted or not, come in anywhere in a request, etc.

The main features this module provides on top of get/set on the session store in management mainly around cookies specifically -- that when a cookie does not exist, it makes a new one, creates a new session, etc. Typically with these "cookie-less" flows like JWT, a request without a JWT is not just going to want to get a session created for it, it would typically be out-right rejected.

I believe there is another thread somewhere, and I will try and dig it up for you. I don't think this was in that thread, but just a current thought: perhaps a req.session.load API would be added that would load up a specific session ID in which you can call after decoding your incoming JWT--I haven't put a lot of thought into that, so take that just with a grain of salt on if it would work or not 😂

dougwilson avatar Apr 15 '20 07:04 dougwilson

@dougwilson Yeah I went through index.js . It seems its better to rollout our own version as you suggested. We will try to improve the code as far as we can and maybe open source it later in case someone else needs it. Appreciate your work on the package and thanks again for the prompt replies. Cheers.

jilvin avatar Apr 15 '20 15:04 jilvin