Skip to content

Secure cookie-based session middleware for Connect

License

Notifications You must be signed in to change notification settings

jruif/cookie-sessions

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Cookie-Sessions

Secure cookie-based session middleware for Connect. This is a new module and I wouldn't recommend for production use just yet.

Session data is stored on the request object in the 'session' property:

var connect = require('connect'),
    sessions = require('cookie-sessions');

Connect.createServer(
    sessions({secret: '123abc'}),
    function(req, res, next){
        req.session = {'hello':'world'};
        res.writeHead(200, {'Content-Type':'text/plain'});
        res.end('session data updated');
    }
).listen(8080);

The session data is JSON.stringified, encrypted and timestamped, then a HMAC signature is attached to test for tampering. The main function accepts a number of options:

* secret -- The secret to encrypt the session data with
* timeout -- The amount of time in miliseconds before the cookie expires
  (default: 24 hours)
* session_key -- The cookie key name to store the session data in
  (default: _node)
* path -- The path to use for the cookie (default: '/')
* domain -- (optional) Define a specific domain/subdomain scope for the cookie

Why store session data in cookies?

  • Its fast, you don't need to hit the filesystem or a database to look up session data
  • It scales easily. You don't need to worry about sticky-sessions when load-balancing across multiple nodes.
  • No server-side persistence requirements

Caveats

  • You can only store 4k of data in a cookie
  • Higher-bandwidth requirements, since the cookie is sent to the server with every request.

In summary: don't use cookie storage if you keep a lot of data in your sessions!

About

Secure cookie-based session middleware for Connect

Resources

License

Stars

Watchers

Forks

Packages

No packages published