3

I made my own login system in nodejs and I have couple question about that.

To check user login I make this:

 function loadUser (req, res, next) {
 // Check user_id
 if (req.session.user_id) {
 // Is there in db
 User.findById({_id: req.session.user_id}, function (err, user) {
 if (user) {
 req.currentUser = user;
 next();
 } else {
 res.redirect('/login');
 }
 });
 }
 }
 app.get('/secure', loadUser, function (req, res) {
 res.render('secure.jade', {user: req.currentUser});
 });

how safe is it? Can a hacker to pick up a session key? And are there best practice to make this approach better

Shalom Craimer
21.6k10 gold badges73 silver badges108 bronze badges
asked Dec 25, 2011 at 10:46

1 Answer 1

1

Well if the hacker steals the cookie of the user he can impersonate him, but that's the case for many websites. You shouldn't worry to much about that though.

Also, it's better to have the username remembered along with the user_id, no point in making two queries over the time.

answered Dec 25, 2011 at 16:22
Sign up to request clarification or add additional context in comments.

5 Comments

Thank you for the response, so do you think that approach secure? I'm interested which is approach make in google?
Well all websites need cookies to make a connection between a user and it's account (session). You can make this more secure by keeping the ip and browser in the session data on the server side (so if another person tries to impersonate the user from another ip / browser he is denied access). Keep in mind though that some people use dynamic ips all the time.
I like your idea about keeping a ip and browser in the session. But I use nodejs with mongoose for a session store, so how can I make that in this case?
Well all you have to do when you set a username and a user_id is to also set the browser used and the ip in that session. Later on when you check for the user you can check for these 2 data also.
Some services will text you, at a previously determined number, a 5-digit code if you attempt to login from e.g. a different IP. You then must enter the code before being allowed to complete login. You could probably go as far as requiring retinal or finger-print scans if you could control the hardware of the people who would use your website.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.