Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

Do I need to authenticate session data in Express middleware?

Do I need to authenticate session data in Express middleware?


Currently my authentication middleware for my Express 3.0 app looks something like this:

return function (req, res, next) {
    if (!isProtected(req.path)) {
        debug('Allowed path "' + req.path + '" -->  calling next()');
    } else if (req.session.user != undefined) {
        debug('User session detected --> calling next()');
    } else if (req.cookies.user != undefined && req.cookies.pass != undefined) {
        var username = req.cookies.user;
        var hash = req.cookies.pass;

        debug('Cookies detected, authorizing...');
        dbman.auth(username, hash, function (err, record) {
            if (err) debug('Authorization error --> ' + err);
            else if (!record) res.redirect(redirectPath);
            else {
                debug('Autologin successful, storing session data');
                req.session.user = record;
    } else {
        debug('Protected path -- No valid session or cookies were detected');
        debug('redirecting to "' + redirectPath + '"');

I am working under the assumption that the user could never set req.session themselves and the fact that req.session.user will only be set after successful authentication. Therefore, if a user record is present in the session store, I let the request go through without even bothering to authenticate the user details present in the record. When there are cookies however, I authenticate the hash present in the cookie. Do I need to be authenticating session records in fear of a user somehow being able to manipulate the session?

Problem courtesy of: Cory Gross


Session is your internal data structure only - so no, unless you provide logic for session manipulation, there is no way the user can do it. What Express does is store encrypted session ID in the user cookies which then translates to the session object stored on the server. User could only manipulate the session object ID if he'd known the encryption key - which he doesn't.

Solution courtesy of: RushPL


View additional discussion.

This post first appeared on Node.js Recipes, please read the originial post: here

Share the post

Do I need to authenticate session data in Express middleware?


Subscribe to Node.js Recipes

Get updates delivered right to your inbox!

Thank you for your subscription