/node-express-session-lesson

Primary LanguageJavaScript

#Express and Sessions

##Objectives Students will be able to...

  • ... describe the purpose of session storage
  • ... mount session middleware in the correct order on an express application
  • ... store, retrieve, and transform session data on each request

##What do we need sessions for? We need sessions as a server-side store of client data.

Specifically, we use it to store data that doesn't need long-term persistence, but will likely be used again, potentially for the last time, when the same client makes another HTTP request. We call such data session data.

###When would we need to do that? A highly common use case is user authentication. Rather than requiring the user to authenticate on a per-request basis, we store their login as session data and associate it with a session secret, which we then send to the client as a cookie.

The client then echoes this secret in a cookie header on each following HTTP request, allowing our application to keep the state of their session.

##First things first Fork and clone this repo, cd into the repo's root directory, and run the following commands:

###Install dependencies First, install the dependencies already in your package.json:

$ npm install

Next, install the centerpiece of this lesson, the express-session module:

$ npm install express-session --save

##Code-along First, we're going to mount our session middleware on our express application. For the solution, see branch mount-session.

Next, we will look into storing our session data in an actual database using the connect-mongo module. For the solution, see branch mongo-storage.

Finally, we will write some routes that generate, store, and transform session data.

As a bonus, if we blaze through this material in record time, we might look into session hijacking.

##Lab Get into your project groups and create a fresh file in your routes directory.

$ cd routes
$ touch lab.js

Write a module to build and export a Router. Use routes/index.js as a reference if necessary.

The Router must have at least one of the following types of routes:

  • a GET route that reads session data and sends it in a response
  • a DELETE route that destroys a session data attribute
  • a route that transforms session data somehow. By transform, I mean change in some way.

Reach:

  • attach a middleware to your Router that runs before any of your route handlers. It should increment a counter variable in the user's session, or initialize the counter if it does not already exist.

##Demo Session hijacking, if there is time.

Steps for instructor or reviewing student:

  • install Wireshark
  • run Wireshark and begin capturing on the network interface to be used to make requests
  • search capture log for HTTP traffic corresponding to the requests made to the back-end
  • show students/observe the set-cookie header send by the server
  • show students/observe the Cookie header sent by the client on subsequent requests
  • use Postman with the Interceptor add-on to alter the Cookie header
  • send requests using a cookie that belongs to another user's session, hijacking it
  • perform requests against that session that significantly alter its state