Session & Cookies

Some time ago, I started backend development with node.JS, express.JS and mongo DB, I was completely lost on how everything works, over the months I have built a small understanding of how things work. I can now build a somewhat basic backend. The above paragraph is for you to understand where I am coming from. Right now I am figuring out how session and cookies work in a website using react.JS, prisma, express.JS, passport.JS, postgresql and node.JS (before for auth, I would use JWT tokens), When learning them, I went through the internet and came across explanations on their usage. They told me this, when logging in you have to store sessions in the database like this.
require("./strategies/local.ts");
const app = express();
app.use(express.json());
app.use(cors());
app.use(cookieParser());
app.use(
session({secret: process.env.SESSION_SECRET as string,
resave: false, saveUninitialized: false,
cookie: { maxAge: 30 * 24 * 60 * 60 * 1000 },
store: new (require("connect-pg-simple")(session))({
pool: new pg.Pool({
user: value,
host: value,
port: value,
database: value,
password: value,
}), tableName: value,
}) }))
app.use(passport.initialize())
app.use(passport.session())
require("./strategies/local.ts");
const app = express();
app.use(express.json());
app.use(cors());
app.use(cookieParser());
app.use(
session({secret: process.env.SESSION_SECRET as string,
resave: false, saveUninitialized: false,
cookie: { maxAge: 30 * 24 * 60 * 60 * 1000 },
store: new (require("connect-pg-simple")(session))({
pool: new pg.Pool({
user: value,
host: value,
port: value,
database: value,
password: value,
}), tableName: value,
}) }))
app.use(passport.initialize())
app.use(passport.session())
and when logging out first destroy the session from the machine with this code.
req.logout(function (err) {
if (err) throw new Error(err);
req.session.destroy(function (err) {
if (err) throw new Error(err);
res.status(200).send({ message: "Logged out successfully." })
})
})
req.logout(function (err) {
if (err) throw new Error(err);
req.session.destroy(function (err) {
if (err) throw new Error(err);
res.status(200).send({ message: "Logged out successfully." })
})
})
and then delete the session from the database, So lets suppose I use something like
prisma.loginSession.delete()
prisma.loginSession.delete()
So here is my question, when deleting the session from the database do I manually have to delete them like above or is there some inbuilt code for handling that, without using prisma. Also Some recommendation for backend topics will be appreciated.
4 Replies
gmoxy
gmoxy13mo ago
You should invalidate (delete or only mark as expired) the session from the database and check the validity of it on every secure request with your database https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#logout-button a good read if you want to understand cookies security to a industry standards
Session Management - OWASP Cheat Sheet Series
Website with the collection of all the cheat sheets of the project.
gmoxy
gmoxy13mo ago
also depends on how you check cookies
Hamza Ali Turi
Hamza Ali TuriOP13mo ago
Thanks for answering, I have another question. What's the point of saving the session in the database when the user logs in and deleting the session from the database when the user logs out? Ok it got solved. Thanks anyway.
Erick Rodriguez
Erick Rodriguez13mo ago
Express can't by itself tracks users, so it need two references: the cookie and the record of the session manager. It is part of the process of express to check what users are active and which don't. Usually you would prune the DB with a scheduled task.
Want results from more Discord servers?
Add your server