0

Im trying to understand how a user can keep logged (i'm trying to implement this on Node without frameworks, for learning). Just a couple of questions based on what i think i understand:

(1) When the user tries to login, it sends the user and password in an HTTP request body

(2) When data arrives to the server, it checks everything needed like if the user exists and if the password is correct

And here comes, i think, my problem: How can the user keep logged? The third step would be something like:

(3) The server create all the session data needed, encrypts and send it to the client?

(4) The clients store the encrypted data in the localstorage

(5) The credentials are sended with every request to the server, and the server decrypts it and check it before processing every user's action.

That's what i understand. But i find this very extrange. I feel i missing a lot... storing data in client side doesn't seems (at least for me) secure. Should the session data be stored on server-side? And how the username and password should be sended securely? It must be encrypted client-side? Is this secure? I think im looking for some pattern or i don't know. I feel lost.

Yeah, and sorry my bad english and poor knowledge. Im not asking for code and i will also appreciate any hint (like what to search in google, or a interesting blog) :)

Thank you, y un abrazo :)

--- EDIT --- Well, finally i founded some usefull links and solved great part of my doubts :)

[http://stackoverflow.com/questions/6922145/what-is-the-difference-between-server-side-cookie-and-client-side-cookie][1]
[http://blog.codinghorror.com/protecting-your-cookies-httponly/][2]
[http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf][3]
[https://es.wikipedia.org/wiki/Cookie_(inform%C3%A1tica)][4]
[https://newspaint.wordpress.com/2015/09/06/how-to-get-cookies-from-node-js-http-response/][5]
Emilio Grisolía
  • 1,183
  • 1
  • 9
  • 16
  • Essentially, the data is stored on the server, in a database such as mysql, mongo or dynamo. It's accessed by a key, which is started in a cookie in the users sessions. Middleware in express checks for the existence of the cookie, retrieves the key, and retrieves the data from the data store. This allows you to have a session that stays intact over calls to the application, and will also allow the client to work in a load balanced situation, where they may not always hit the same node server. – CargoMeister Feb 24 '16 at 00:56

1 Answers1

2

1 and 2 are correct.

Sessions are usually implemented using cookies, not client-side local storage, because cookies are automatically sent to the server with each request. The cookie will often contain just a long randomly generated ID which refers to data stored on the server side, e.g. in a database. This data will identify the user and possibly store other session-level settings.

It is also possible to use a cookie with signed (and possibly encrypted) user information - for instance ASP.NET does this by default. This has the benefit that no storage is required for the session. The downside is that sessions cannot easily be destroyed from the server side. Therefore e.g. a feature that shows the user their currently active sessions (from other devices) and allows them to log them out couldn't be implemented.

Sending the username and password over the Internet should preferably be done securely, by using HTTPS. Do not implement your own encryption on the client-side. It will likely not work, plus the cookies themselves are viable to be stolen if the connection is not properly encrypted and authenticated.

Matti Virkkunen
  • 63,558
  • 9
  • 127
  • 159
  • So the cookies are something like a piece of data stored in the client, and it has something like a value determined by the server? The server stores the cookie "value" with a key, and with every request the client must send its "cookie key"? I'll take a look to the HTTPS. Thanks :) – Emilio Grisolía Feb 24 '16 at 17:51
  • 1
    @EmilioGrisolía: A cookie is a key-value pair given to the client by the server, such as "sessionid=af8ec260" (obviously longer in practice!). You can store any reasonably small data in a cookie and it's always sent to the server. However the data cannot be trusted just like any client input can't, so in practice people often just send a session ID and store the actual data that you might not want people to tamper with on the server side. – Matti Virkkunen Feb 24 '16 at 20:09
  • Hey, thanks :) i just edited my post with usefull links. I've been looking around and finally i understand how it works :) Thanks again :) – Emilio Grisolía Feb 24 '16 at 20:15