1

I am looking for some information on best practices when using the passport local strategy. I went though the local strategy example that uses an authToken, for login persistence, found on github. When speaking with a coworker, they posed the question, how is storing this token in a session cookie any more secure than storing a password because its essentially your authenticated identity on the server. So how do i answer this question? Its a green question, i admittedly dont fully understand the entire lifecycle. So how is this a safe solution when integrated with bccrypt and mongo like the example is. And if it was merely an example and not necessarily meant to show a robust solution, what are some best practices to keep our users and our application safe?

https://github.com/jaredhanson/passport-local/tree/master/examples/express3-mongoose-rememberme

laggingreflex
  • 26,275
  • 28
  • 123
  • 172
user2305289
  • 11
  • 2

1 Answers1

2

Your coworker is not wrong, the implementation is not very secure (in fact it could be argued to be less secure, since the sessionId can be used as is without encryption).

It's more secure only in the fact that it can only be used within 30 days, while the username/password can be used until the user removes it. (It's also more useful because you can take remove the sessionId without changing the password).

However it is not the secure way of implementing Remember me, see The definitive guide to form-based website authentication for information on a good way of implementing rememberMe.

Basically you need to change the github code to do the following:

  1. keep the cookie to end at the end of the session (I.E. when the user closes the browser)
  2. if the user requests remember me when login with username/password, send a new cookie with the accessToken (httpOnly cookie).
  3. when the client sends a request with the accessToken cookie but not sessionId cookie, you log the user in using the accessToken, and then change the accessToken to a new accessToken (both in the client's cookie and in the db user)

also, always use https when logging in with username password (at the very least)

edit: I've put an example of what I personally use now in a gist: https://gist.github.com/Illniyar/5432646 Maybe it'll help you get along (though it's a bit jumbled). The tokens work as advertised, but I'm not using passport yet, it shouldn't be too hard to port it to passport though. Note also how the password for the user is kept(secure with a different salt for each user), and how logout is performed.

Community
  • 1
  • 1
Alon Bar David
  • 1,669
  • 13
  • 15
  • I've put an example of what I personally use in a gist: https://gist.github.com/Illniyar/5432646 Maybe it'll help you along, it's a bit jumbled though. And no passport yet. – Alon Bar David Apr 22 '13 at 05:53