How to work with cookies correctly?

A

Abc Edc2015-05-08 10:51:52

JavaScript

Abc Edc, 2015-05-08 10:51:52

If on the client it is necessary to accompany each action with a check whether there is a session, and it is stored in cookies, then if we say before requesting these protected pages, is it possible to simply write the user-id correspondence from the server once from the server and check the cookie already? that is, the type cookie.user is not empty, then give the page, or do you need to check this correspondence from the server every time?
This is how I check on the server now

if (req.session.user) {
        res.json({"login": req.session.user});
    }
else{
        next();
    }

The attacker will not be able to change the cookie
because I use the key

app.use(session({
    secret: config.get('session:secret'),
    resave: false,
    saveUninitialized: true,
    name: config.get('session:name'),
    path: config.get('session:path'),
    httpOnly: config.get('session:httpOnly'),
    maxAge: config.get('session:maxAge'),
    store: new MongoStore({
        host: 'localhost', // Default, optional
        port: config.get('mongoose:port'), // Default, optional
        db: config.get('mongoose:db') // Required
    }),
    proxy: true
}));

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander, 2015-05-08
@gleber1

You should always check on the server.