Session & Cookies

Some time ago, I started backend development with node.JS, express.JS and mongo DB, I was completely lost on how everything works, over the months I have built a small understanding of how things work. I can now build a somewhat basic backend.
The above paragraph is for you to understand where I am coming from.
Right now I am figuring out how session and cookies work in a website using react.JS, prisma, express.JS, passport.JS, postgresql and node.JS (before for auth, I would use JWT tokens), When learning them, I went through the internet and came across explanations on their usage. They told me this, when logging in you have to store sessions in the database like this.

require("./strategies/local.ts");
const app = express();
app.use(express.json());
app.use(cors());
app.use(cookieParser());
app.use(
  session({secret: process.env.SESSION_SECRET as string,
    resave: false, saveUninitialized: false,
    cookie: { maxAge: 30 * 24 * 60 * 60 * 1000 },
    store: new (require("connect-pg-simple")(session))({
      pool: new pg.Pool({
        user: value,
        host: value,
        port: value,
        database: value,
        password: value,
      }), tableName: value,
    }) }))
app.use(passport.initialize())
app.use(passport.session())

require("./strategies/local.ts");
const app = express();
app.use(express.json());
app.use(cors());
app.use(cookieParser());
app.use(
  session({secret: process.env.SESSION_SECRET as string,
    resave: false, saveUninitialized: false,
    cookie: { maxAge: 30 * 24 * 60 * 60 * 1000 },
    store: new (require("connect-pg-simple")(session))({
      pool: new pg.Pool({
        user: value,
        host: value,
        port: value,
        database: value,
        password: value,
      }), tableName: value,
    }) }))
app.use(passport.initialize())
app.use(passport.session())

and when logging out first destroy the session from the machine with this code.

req.logout(function (err) {
      if (err) throw new Error(err);
      req.session.destroy(function (err) {
        if (err) throw new Error(err);
  res.status(200).send({ message: "Logged out successfully." })
      })
    })

req.logout(function (err) {
      if (err) throw new Error(err);
      req.session.destroy(function (err) {
        if (err) throw new Error(err);
  res.status(200).send({ message: "Logged out successfully." })
      })
    })

and then delete the session from the database, So lets suppose I use something like

prisma.loginSession.delete()

prisma.loginSession.delete()

So here is my question, when deleting the session from the database do I manually have to delete them like above or is there some inbuilt code for handling that, without using prisma. Also Some recommendation for backend topics will be appreciated.

gmoxy•11/24/23, 6:48 PM

You should invalidate (delete or only mark as expired) the session from the database and check the validity of it on every secure request with your database

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#logout-button

a good read if you want to understand cookies security to a industry standards

Session Management - OWASP Cheat Sheet Series

Website with the collection of all the cheat sheets of the project.

gmoxy•11/24/23, 6:49 PM

also depends on how you check cookies

Ggmoxy You should invalidate (delete or only mark as expired) the session from the data...

Hamza Ali TuriOP•11/25/23, 9:27 AM

Thanks for answering, I have another question. What's the point of saving the session in the database when the user logs in and deleting the session from the database when the user logs out?

Hamza Ali TuriOP•11/25/23, 1:09 PM

Ok it got solved. Thanks anyway.

Erick Rodriguez•11/25/23, 6:14 PM

Express can't by itself tracks users, so it need two references: the cookie and the record of the session manager. It is part of the process of express to check what users are active and which don't. Usually you would prune the DB with a scheduled task.