0

I'm having a problem of understanding the steps for authentication using Express session(backend) + React(frontend).. When a user logs in the server set up a session cookie object with the user id and this way it can identify if the user is logged in or not...

What about the client side? when user logs in and and I generate a token I send it back to the react app and save it in localStorage to use it for every request I make later? I heard that this is not secured.... So I ask you how should I implement that? How can I save the token I get from the server to use it when I make requests later? One way I can think of is making another get request on server side which returns the session.userId so I can see if thats true then the user is logged in... I'm just trying to figure out how to implement that

thanks!

hindi1991
  • 475
  • 1
  • 14
  • 28
  • Consider JWT for persisting the user session. There's a Q&A on why JWT is considered secure: https://stackoverflow.com/questions/27301557/if-you-can-decode-jwt-how-are-they-secure. – rishat Nov 11 '19 at 23:52
  • yea I understand that.. but that's not my question. After saving it as jwt how should I pass/STORE it to react so the app can use it to send the token in the next request I make?@rishat – hindi1991 Nov 11 '19 at 23:55

1 Answers1

1

Browsers implement cookie storage, you don't have to do anything explicit on the client side to maintain the express session. When authentication first happens the server sends a header to the client instructing it to store a cookie and the browser will hold onto that cookie and send it back on all subsequent requests. None of this needs to happen in client scripts (i.e. your javascript code).

You don't need to store cookies in local storage, usually you should not and session cookies will be "httponly", meaning the client scripts are forbidden from accessing them. This is to mitigate the possibility of session stealing in the case of XSS.

Ryan Jenkins
  • 714
  • 6
  • 16
  • But what If i configured this cookie to be only on server side? this configuration - cookie.httpOnly Specifies the boolean value for the HttpOnly Set-Cookie attribute. When truthy, the HttpOnly attribute is set, otherwise it is not. By default, the HttpOnly attribute is set. Note be careful when setting this to true, as compliant clients will not allow client-side JavaScript to see the cookie in document.cookie. taken from official: https://www.npmjs.com/package/express-session @Ryan Jenkins – hindi1991 Nov 11 '19 at 23:59
  • So you also say I cannot access this session cookie from react just like I did... than how can I set the header with the proper token for the request If I don't have the token? @Ryan Jenkins – hindi1991 Nov 12 '19 at 00:04
  • @hindi1991 re: your last comment, the browser will set the `Cookie` header for you automatically, you generally should not need to manually specify cookies to be sent. Also the `HttpOnly` attribute does not mean "server side only", HttpOnly cookies are cookies managed by the browser and not accessible to client scripts, but they are still sent, automatically, between the browser and the server. – Ryan Jenkins Nov 12 '19 at 00:10
  • thanks for the answer but Im still having a problem... what if I need to render diffrent links as a result of if the user is logged in or not.. I need an variable which is true or false or any other identifier which says that I'm logged in... How can I get and use it after logging in? @Ryan Jenkins – hindi1991 Nov 12 '19 at 19:44
  • You can store some value to indicate if a user is logged in or not, it doesn't need to be the session ID. You can set the value when authentication is successful, just be sure to include logic to unset it on logout or session expiration (probably the most reliable way to detect session expiration is that a request fails for that reason) – Ryan Jenkins Nov 17 '19 at 19:55