Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Cookie less version?
See original GitHub issueI have a cookie-less API (which uses JWT for authentication) for a single page app and need a session store for the passport-oauth1 module (unfortunately, that module requires a session store to work). I was wondering if I could instead base the session store on a req.query.session_id query parameter instead of storing the session id in a cookie. Is there any module that behaves like express-session but which will retrieve the session id from an url rather than a cookie?
Issue Analytics
- State:
- Created 7 years ago
- Reactions:4
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Gotcha. So the main part of authentication / security would be in your JWT handling; a cookie-less version of this module wouldn’t help in that regard, as securing your JWT would end up falling to you a implementation-specific details. For example, JWTs can be constructed in any way, signed or not, encrypted or not, come in anywhere in a request, etc.
The main features this module provides on top of get/set on the session store in management mainly around cookies specifically – that when a cookie does not exist, it makes a new one, creates a new session, etc. Typically with these “cookie-less” flows like JWT, a request without a JWT is not just going to want to get a session created for it, it would typically be out-right rejected.
I believe there is another thread somewhere, and I will try and dig it up for you. I don’t think this was in that thread, but just a current thought: perhaps a
req.session.loadAPI would be added that would load up a specific session ID in which you can call after decoding your incoming JWT–I haven’t put a lot of thought into that, so take that just with a grain of salt on if it would work or not 😂@dougwilson Thanks for replying really fast. Appreciate it.
Yeah we were thinking of proceeding that way. But since this is one of the core part of our system as a whole we were thinking it would be better if we could use something really battle tested like
express-session. We do not want to roll out creepy security bugs especially in something as critical as authentication. That’s why I was trying to integrateexpress-sessiontogether with jwt instead of cookies.I hope you might be able to provide more insights regarding this. Thanks in advance.