

Ask HN: What is the correct way of session handling in web applications? - sunilkumarc

Hi Hackers,<p>I&#x27;m a naive web developer who is trying to build a small web application using Node.js and React.js. Currently I&#x27;m stuck at session handling for the chosen technology stack. I have seen some examples(One example : https:&#x2F;&#x2F;github.com&#x2F;rdegges&#x2F;svcc-auth ) which use Node.js for the back end and Jade template engine for the front end. In such applications, sessions are being handled only the server side. I&#x27;m facing difficulties in doing the same thing with Node.js and React.js combination because I&#x27;m handling the routing on the client side using react router.<p>I&#x27;m a bit confused about session handling in web applications. So, I wanted to know what a typical session handling architecture looks like in web applications and what is the correct way (best way) to implement this for Node.js + React.js combination.<p>Any links&#x2F;resources&#x2F;comments are highly appreciated.
======
lsiunsuex
I've only this week began working with React, so I can't speak for that
specifically, but sessions generally have the same idea across most languages,
IMO.

A session is nothing more then a handful of variables and values stored
somewhere specific to the user that can be passed back to the server, a query
of sorts ran using those values and an output provided.

(generally speaking)

In PHP, a PHPSESSID generally gets stored on the users machine in a cookie
when a user visits a page where session_start() has been executed. That ID
corresponds to an array ( $_SESSION ) on the server where for example user_id,
name, email, might be set and used to generate this query with the query
looking something like (very generic) select * from users where
id=$_SESSION['user_id']

Your using NodeJS which means your probably using a document store like Mongo
so you can't really do queries in the traditional sense, but you can request
variable documents

In a recent AngularJS / Firebase app I built, I use localstorage service to
store non-critical information - id, name, email, etc... NEVER the password.
Name and email are for presentation - when a user loads a page, it's nice for
the system to show them who they are - but user_id is what gets passed back to
Firebase to do the lookup so in the case of Firebase the "query" is
site.firebaseio.com/users/user_id - this will spit out whatever you have
stored in /users/user_id be it chat history, email address, etc...

Could someone modify localstorage variables? yeah probably - but that's why on
the server side (your NodeJS) your gonna check the incoming variable, make
sure it's nothing malicious and pass it into the DB and in the case of
Firebase, you can setup access rules to further limit who has access to what.

I'd assume a localstorageservice is available to React or something similar.
It would be a good place to start.

And NEVER store sensative information in a cookie / session / localstorage,
including address info or CC info.

(2 cents, I may be completely absolutely wrong)

