Cookie-Sessions
Secure cookie-based session middleware for Connect. This is a new module and I wouldn't recommend for production use just yet.
Session data is stored on the request object in the 'session' property:
var connect = require('connect'),
sessions = require('cookie-sessions');
Connect.createServer(
sessions({secret: '123abc'}),
function(req, res, next){
req.session = {'hello':'world'};
res.writeHead(200, {'Content-Type':'text/plain'});
res.end('session data updated');
}
).listen(8080);
The session data is JSON.stringified, encrypted and timestamped, then a HMAC signature is attached to test for tampering. The main function accepts a number of options:
* secret -- The secret to encrypt the session data with
* timeout -- The amount of time in miliseconds before the cookie expires
(default: 24 hours)
* session_key -- The cookie key name to store the session data in
(default: _node)
* path -- The path to use for the cookie (default: '/')
* domain -- (optional) Define a specific domain/subdomain scope for the cookie
Why store session data in cookies?
- Its fast, you don't need to hit the filesystem or a database to look up session data
- It scales easily. You don't need to worry about sticky-sessions when load-balancing across multiple nodes.
- No server-side persistence requirements
Caveats
- You can only store 4k of data in a cookie
- Higher-bandwidth requirements, since the cookie is sent to the server with every request.
In summary: don't use cookie storage if you keep a lot of data in your sessions!