All Questions
11 questions
1
vote
2
answers
496
views
Can CSRF attacks be blocked without CSRF tokens if I send the session-id in the headers
I'm using Session-based authentication in my app, and I want to protect against CSRF attacks I thought about just sending the session id in the header of the request.
To be clear the backed server ...
- 331
2
votes
1
answer
3k
views
Why is express-session connect.sid value is visible on client?
I was playing around with express-session and reading their documentation and it seems like on the client side, the cookie with the name connect.sid stores the session ID. My understanding of security ...
- 63
1
vote
1
answer
2k
views
What is the best way to manage sessions in Node.js?
I'm learning Node.js, and I was wondering what is the best way to handle sessions.
It occurs to me that there are two main options: express-session, or cookie-session.
I did some research, and I've ...
- 667
0
votes
0
answers
67
views
How do I set browser session attributes appropriately to protect what user ID is being sent in a HTTP request?
I am building a site with various users who have different levels of permissions and I want to make sure I'm using a secure pattern. The front end is Angular and the back-end is NodeJS, Express and ...
- 1,059
0
votes
4
answers
1k
views
How to prevent overflow of sessions in node.js app?
I have a nodejs web application which uses the express framework, and it is reachable via internet.
I am using a session store which stores the sessions as plain files on disk, and with the current ...
- 3,206
1
vote
2
answers
4k
views
Using encrypted cookies and a session store to secure requests
I've recently noticed that an application I'm consulting on is utilizing unencrypted cookies. The front end (Angular) regularly uses the following to extract the user id:
var user_id = JSON.parse($...
- 63
5
votes
1
answer
2k
views
In Express.js, is it safe to store any data in sessions?
I'm used to working solely with cookies.
With cookies, I would save a username and hash and perform a database query on each pageload, to ensure that the user has the correct password. I was about ...
- 1,158
0
votes
0
answers
116
views
ExpressJS And Connect-Mongo Session
Im using connect-mongo in my ExpressJS apps.
app.use(express.session({
secret: 'some string',
store: new MongoStore({
db: mongoose.connection.db
})
}));
What are the other ...
- 17.3k
6
votes
3
answers
8k
views
ExpressJS: how does req.session work?
I am writing an ExpressJS backend with User login support. From multiple examples I see the use of req.session object. It seems this object is used to store and retrieve information across server and ...
- 8,780
2
votes
1
answer
638
views
express secret key length
Are there any recommendations for the length of the secret key used to cryptographically hash session data in connect/express? I see everything from 60+ character strings to the canonical 'keyboard ...
- 64.3k
6
votes
1
answer
2k
views
Is it safe to use "Access-Control-Allow-Origin: *" setting on the server and use session based cookies at the same time?
I want to allow client applications to make cross domain JSON requests to a central data server. The clients and server will be on different domains.
To get around the "Origin null is not allowed by ...
- 339