Build a Membership System with Express.js Session
Introduction
Based on previous tutorials, we can create basic CRUD programs, but due to HTTP being stateless, users need to re-validate on each login action, which is a poor experience.
One solution is for the server to create a session (a piece of data stored on the server) upon request, and the user will receive a session ID in the response, typically stored in a cookie. The server uses this ID to identify and locate the specific user’s session data, allowing it to remember the corresponding data for individual users.
Session Storage
Specifically, express-session is a commonly used package that helps us implement server sessions. It is recommended to read the official documentation for further setup, such as:
name
: Customizable cookie name, avoid using the defaultconnect.sid
cookie.httpOnly
: Defaults totrue
, but it’s recommended to specify it explicitlycookie.sameSite
: Recommended to set tostrict
for increased security- …
Minimal Example
Based on Creating a Simple CRUD Todo List with Express.js, create a simple backend server and install express-session
to help us build sessions that remember users. By default, it will be stored in memory, but it can actually be linked to a file system, database, or distributed storage; there is no rule for session storage.
The above is a minimal example. When a user visits the homepage, it will count the number of visits and store the count in the session. If the user visits again, the count will increase.
Login System
- Registration page
/register
: Users enter their username and password, and the server verifies if the account already exists. If not, registration is successful. - Login page
/login
: Users enter their username and password. - Login processing
/login
: The server verifies the credentials, and if correct, sets theisLoggedIn
status andusername
in the session. - Profile page
/profile
: Determines whether to display user data or redirect to the login page based on login status. - Logout
/logout
: Destroys the session and clears the cookie.
I put the project on GitHub - express-in-memory-session, you can download it and play with it.
Security Best Practices
- Use HTTPS: Encrypt the session ID during transmission to prevent man-in-the-middle attacks.
- Set HttpOnly and Secure Cookie: Prevent JavaScript from reading the session ID and ensure it is transmitted only over HTTPS.
- Session expiration time: Set a reasonable session expiration time, such as expiring after 15 minutes of inactivity.
- Regenerate Session ID: Regenerate the session ID upon login and logout to prevent Session Fixation attacks.
Password Encryption
Passwords should be stored in an encrypted form (e.g., using bcrypt), converting the password into irreversible data through a hashing algorithm. During future verification, the user-input password will also be hashed before comparison. This way, even if the password database is leaked, user passwords will not be directly exposed.
To protect the uniqueness of the hash value, bcrypt generates a random “salt” by default and appends it to the password. This means that even if two users have the same password, the hash values will be different, increasing the difficulty of cracking.
Further Reading
- Your complete guide to understanding the express-session library - Zach Gollwitzer
- HTTP Session 攻擊與防護 - DEVCORE Allen Own
- 寫給網頁開發者的 CSRF 理解與防範 - WebDong