Wrong use of cookie/session

Question

Wrong use of cookie/session

LeanKhan opened this issue 5 years ago · 15 comments

https://github.com/hngi/node-url-shortener/blob/12b9277004c6bd0a5a0d9947d408006616c645c7/src/middlewares/validateUrl.js#L58

Answer 1 · 2019-10-11T10:06:07.000Z

What does this mean? The code seems fine to me. What needs to be changed?

Answer 2 · 2019-10-11T10:08:43.000Z

Hi, the user's id is not saved in the cookie but in the session object, normally.
Did you test it?

Answer 3 · 2019-10-11T10:11:11.000Z

And also, I don't think you can read cookies like that, you have to parse them first. Unless Express does that automatically now.

Answer 4 · 2019-10-11T10:47:00.000Z

We use cookie-parser package to parse the cookies and make it available on the req object. In my last discussion with @shonubijerry on this we agreed that the users id is best sent via a cookie. Has that decision changed yet again?

Answer 5 · 2019-10-11T11:28:23.000Z

Mehn, I didn't even know we agreed on that. Because someone already implemented it with Express Sessions. So saving cookies on the server, rather than the client.

I guess we might have to decide on one.

Answer 6 · 2019-10-11T11:30:10.000Z

Where will the userID be saved or generated?

Answer 7 · 2019-10-11T12:25:01.000Z

On initial request, id is generated and sent to the browser in a cookie. @gfredtech worked on this. On all subsequent requests, the browser will always send the cookie data. Cookie-parser is used to retrieve this data and write it into the req object. All middlewares can then make use of this user id via req.cookies.userId.

I don't know if this process is correctly implemented at the moment cos I'm away from my computer. But that's how it should work.

Answer 8 · 2019-10-11T12:35:44.000Z

Okay, makes sense. But @gfredtech actually implemented it using Sessions. Because how will we keep track of that specific user? Unless we store the users data in that cookie?

Answer 9 · 2019-10-11T13:52:30.000Z

Exactly. We put the id in a cookie. Which is persisted in the browser. And the browser sends it with every request. We can then use the id to find the users info in the db.

Answer 10 · 2019-10-11T13:53:15.000Z

Yes, meaning we have to save user data in the db also.
That's why I was saying we use sessions. Or how do you think we will go about it?

Answer 11 · 2019-10-11T13:57:03.000Z

Our app doesn't actually save user data. We save trimmed urls. We only need a user id to mark who created the url. So when we query the db, we can find all urls created by this specific user. There's no other user data to save. The id is all we need.

Answer 12 · 2019-10-11T13:58:29.000Z

That's why the url schema has a created_by field.

Answer 13 · 2019-10-11T14:00:04.000Z

Okay, how will we generate the ids?

Answer 14 · 2019-10-11T14:25:32.000Z

Hey, @gfredtech uses the automatically generated sessionID as the userID.
I believe that is fine. the created_at will be empty for first time users. Because the req.cookie.userID object has not yet been populated.
But with sessions, a session automatically created for every new visitor.

Answer 15 · 2019-10-11T15:05:26.000Z

Hey, @gfredtech uses the automatically generated sessionID as the userID.

Yeah. That should work. I don't think we have an issue here.