Cookie less version?
See original GitHub issueI have a cookie-less API (which uses JWT for authentication) for a single page app and need a session store for the passport-oauth1
module (unfortunately, that module requires a session store to work). I was wondering if I could instead base the session store on a req.query.session_id
query parameter instead of storing the session id in a cookie. Is there any module that behaves like express-session
but which will retrieve the session id from an url rather than a cookie?
Issue Analytics
- State:
- Created 7 years ago
- Reactions:4
- Comments:8 (4 by maintainers)
Top Results From Across the Web
AdExplainer: Defining (And Refining) The Meaning Of ...
Share: AdExplainer first version. The word “cookieless” crops up in virtually every conversation about the future of online identity.
Read more >Cookie-less Acquisition Strategies or Bust: What Google's ...
What does Google's delay mean for marketers? Google recently announced that phasing out third-party cookies will be pushed back to 2024.
Read more >Toward (Greater) Consumer Surveillance in a 'Cookie-less ...
Toward Consumer Surveillance in a 'Cookie-less' World - Version 2.pdf. Version: 3. Download previous versions.
Read more >A Cookieless Future: Preparing for the End of Third-Party ...
Are you ready for a cookieless future? Keep on top of the cookie phase-out with the tips and strategies in this complete guide....
Read more >Navigating a cookieless future - Search Engine Watch
Apple and Google are making moves towards user privacy and marketing compliance. More on how to navigate in a cookieless world.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Gotcha. So the main part of authentication / security would be in your JWT handling; a cookie-less version of this module wouldn’t help in that regard, as securing your JWT would end up falling to you a implementation-specific details. For example, JWTs can be constructed in any way, signed or not, encrypted or not, come in anywhere in a request, etc.
The main features this module provides on top of get/set on the session store in management mainly around cookies specifically – that when a cookie does not exist, it makes a new one, creates a new session, etc. Typically with these “cookie-less” flows like JWT, a request without a JWT is not just going to want to get a session created for it, it would typically be out-right rejected.
I believe there is another thread somewhere, and I will try and dig it up for you. I don’t think this was in that thread, but just a current thought: perhaps a
req.session.load
API would be added that would load up a specific session ID in which you can call after decoding your incoming JWT–I haven’t put a lot of thought into that, so take that just with a grain of salt on if it would work or not 😂@dougwilson Thanks for replying really fast. Appreciate it.
Yeah we were thinking of proceeding that way. But since this is one of the core part of our system as a whole we were thinking it would be better if we could use something really battle tested like
express-session
. We do not want to roll out creepy security bugs especially in something as critical as authentication. That’s why I was trying to integrateexpress-session
together with jwt instead of cookies.I hope you might be able to provide more insights regarding this. Thanks in advance.