Do I need to authenticate session data in Express middleware?
Problem
Currently my authentication middleware for my Express 3.0 app looks something like this:
return function (req, res, next) {
if (!isProtected(req.path)) {
debug('Allowed path "' + req.path + '" --> calling next()');
next();
} else if (req.session.user != undefined) {
debug('User session detected --> calling next()');
next();
} else if (req.cookies.user != undefined && req.cookies.pass != undefined) {
var username = req.cookies.user;
var hash = req.cookies.pass;
debug('Cookies detected, authorizing...');
dbman.auth(username, hash, function (err, record) {
if (err) debug('Authorization error --> ' + err);
else if (!record) res.redirect(redirectPath);
else {
debug('Autologin successful, storing session data');
req.session.user = record;
next();
}
});
} else {
debug('Protected path -- No valid session or cookies were detected');
debug('redirecting to "' + redirectPath + '"');
res.redirect(redirectPath);
}
};
I am working under the assumption that the user could never set req.session
themselves and the fact that req.session.user
will only be set after successful authentication. Therefore, if a user record is present in the session store, I let the request go through without even bothering to authenticate the user details present in the record. When there are cookies however, I authenticate the hash present in the cookie. Do I need to be authenticating session records in fear of a user somehow being able to manipulate the session?
Solution
Session is your internal data structure only - so no, unless you provide logic for session manipulation, there is no way the user can do it. What Express does is store encrypted session ID in the user cookies which then translates to the session object stored on the server. User could only manipulate the session object ID if he'd known the encryption key - which he doesn't.
Discussion
View additional discussion.