Hi all,I'm improving my knowledge about authentication, security, sessions and cookies and when using the cookie-session (instead of express-session), I came up with a question, which might be a bit silly, but didn't find a specific answer yet.If the whole session info (let's say a user object) is stored in the cookie, rather than in some session storage (as you would with express-session), then doesn't it raise a security risk that a third party could just take the cookie from your browser and use it to send requests even without knowing your username or password anymore?I guess the 'secure' and 'httpOnly' properties for the cookie do not help if you're trying to make requests with Postman, but does the 'domain' property help here maybe then? Or I'm just not finding what is the way to secure against a simple hack like this?And also, a bit of a different topic, how would you check on the frontend side, if user is authenticated? For example, if you want to show a button or not? Would just checking that the cookie exists or not be enough? When showing the button is not maybe that much of an issue and the actual cookie contents for auth and permissions would be checked on the backend anyways.But I'd think just checking that the cookie exists will even make the problem I described above even worse.
Submitted June 05, 2020 at 09:14AM by vsamma
No comments:
Post a Comment