node-connect-pg-simple icon indicating copy to clipboard operation
node-connect-pg-simple copied to clipboard

Published 20 hours ago verified publisher icon voxpelli

crypto: transparent encryption of session data

Open jas- opened this issue 4 years ago • 4 comments

This will enable OWASP sessions management recommendations for implementations that may push sensitive information to a server side session.

jas- avatar Mar 10 '20 09:03 jas-

I think I much rather add the possibility to add an encoding/decoding callback than to bring this into the module itself.

There are many ways it can be done and it would probably be better to have those solutions outside the core, but have the core be extendable enough to support it still.

What do you think?

voxpelli avatar Mar 10 '20 21:03 voxpelli

It’s your party, however from an implementation perspective, if I can turn on or turn off a security feature without the fuss of trying to get it to play well with the storage engine the better.

jas- avatar Mar 10 '20 21:03 jas-

My thinking would be that rather than add a bool flag it would ask for an encryption strategy, so sending a compatible such one, published and versioned separately, would be about as complex as just setting the book flag – only one additional dependency.

I do very much appreciate feedback and thoughts. It makes the project and my decisions better 👍

voxpelli avatar Mar 11 '20 09:03 voxpelli

Morning. A bool flag? Maybe the typedef for the secret option is what you are referring to? Anyways, while I understand the simplicity for the internal structure of your existing module (which is a very well thought out project), I still believe that this is a simpler method for the store to provide the requisite security as compared to trying to monkey patch it between the session module and the data storage engine.

An important question as someone using your module would be “how can I best protect my sessions in an at rest data store?” pseudo code

var session = require('express-session');
var kruptein = require('kruptein')( {use_scrypt: true} );

app.use(session({
  store: new (require('connect-pg-simple')(session))(),
  secret: process.env.FOO_COOKIE_SECRET,
  resave: false,
  cookie: { maxAge: 30 * 24 * 60 * 60 * 1000 } // 30 days
}));

app.get('/', function(req, res, next) {
  kruptein.get('squirrel', req.session, function(err, pt) {
   if (err) return fn(err);
   req.session = pt;
  });
  if (req.session.views) {
    req.session.views++
    res.setHeader('Content-Type', 'text/html')
    res.write('<p>views: ' + req.session.views + '</p>')
    res.write('<p>expires in: ' + (req.session.cookie.maxAge / 1000) + 's</p>')
    res.end()
  } else {
    req.session.views = 1
    kruptein.set('squirrel', req.session, function(err, ct) {
      if (err) return fn(err);
    });
    res.end('welcome to the session demo. refresh!')
  }
})

or as the provided pr implements it?


app.use(session({
  store: new (require('connect-pg-simple')(session))( {secret: 'squirrel' } ),
  secret: process.env.FOO_COOKIE_SECRET,
  resave: false,
  cookie: { maxAge: 30 * 24 * 60 * 60 * 1000 } // 30 days
}));

jas- avatar Mar 11 '20 11:03 jas-