TTC
Theo's Typesafe Cult7mo ago
Hamza Ali

Session & Cookies

Some time ago, I started backend development with node.JS, express.JS and mongo DB, I was completely lost on how everything works, over the months I have built a small understanding of how things work. I can now build a somewhat basic backend. The above paragraph is for you to understand where I am coming from. Right now I am figuring out how session and cookies work in a website using react.JS, prisma, express.JS, passport.JS, postgresql and node.JS (before for auth, I would use JWT tokens), When learning them, I went through the internet and came across explanations on their usage. They told me this, when logging in you have to store sessions in the database like this. 
require("./strategies/local.ts");
const app = express();
app.use(express.json());
app.use(cors());
app.use(cookieParser());
app.use(
  session({secret: process.env.SESSION_SECRET as string,
    resave: false, saveUninitialized: false,
    cookie: { maxAge: 30 * 24 * 60 * 60 * 1000 },
    store: new (require("connect-pg-simple")(session))({
      pool: new pg.Pool({
        user: value,
        host: value,
        port: value,
        database: value,
        password: value,
      }), tableName: value,
    }) }))
app.use(passport.initialize())
app.use(passport.session())
require("./strategies/local.ts");
const app = express();
app.use(express.json());
app.use(cors());
app.use(cookieParser());
app.use(
  session({secret: process.env.SESSION_SECRET as string,
    resave: false, saveUninitialized: false,
    cookie: { maxAge: 30 * 24 * 60 * 60 * 1000 },
    store: new (require("connect-pg-simple")(session))({
      pool: new pg.Pool({
        user: value,
        host: value,
        port: value,
        database: value,
        password: value,
      }), tableName: value,
    }) }))
app.use(passport.initialize())
app.use(passport.session())
and when logging out first destroy the session from the machine with this code. 
req.logout(function (err) {
      if (err) throw new Error(err);
      req.session.destroy(function (err) {
        if (err) throw new Error(err);
  res.status(200).send({ message: "Logged out successfully." })
      })
    })
req.logout(function (err) {
      if (err) throw new Error(err);
      req.session.destroy(function (err) {
        if (err) throw new Error(err);
  res.status(200).send({ message: "Logged out successfully." })
      })
    })
and then delete the session from the database, So lets suppose I use something like 
prisma.loginSession.delete()
prisma.loginSession.delete()
So here is my question, when deleting the session from the database do I manually have to delete them like above or is there some inbuilt code for handling that, without using prisma. Also Some recommendation for backend topics will be appreciated.
4 Replies
gmoxy
gmoxy7mo ago
You should invalidate (delete or only mark as expired) the session from the database and check the validity of it on every secure request with your database https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#logout-button a good read if you want to understand cookies security to a industry standards
Session Management - OWASP Cheat Sheet Series
Website with the collection of all the cheat sheets of the project.
gmoxy
gmoxy7mo ago
also depends on how you check cookies
Hamza Ali
Hamza Ali7mo ago
Thanks for answering, I have another question. What's the point of saving the session in the database when the user logs in and deleting the session from the database when the user logs out? Ok it got solved. Thanks anyway.
Erick Rodriguez
Erick Rodriguez7mo ago
Express can't by itself tracks users, so it need two references: the cookie and the record of the session manager. It is part of the process of express to check what users are active and which don't. Usually you would prune the DB with a scheduled task.
Want results from more Discord servers?
Add your server
More Posts
Multi Database Architecture in Next.jsHey Theo and the Community So I'm trying out something where I use the same frontend application to Log elapsedMs to axiomHi! I want to track my endpoints speed, they involve querying my postgresql db as well as my redis cFeature RequestIs it possible to have a default support for typeorm similar to what prisma and drizzle have.how to create relatedWords relation for each words using drizzle. | DRIZZLE | SQL |Hi folks, I'm building an online Turkish dictionary using t3 stack with drizzle. I want every word Can anyone help me solve the 413 error with NextJS app router?I'm getting the 413 error when i try to use fetch with POST method and send an image that is about 1npm i => could not resolve in Nextjs 14Hello~! Im frontend developer in Korea! I'm trying to use uploadingthing in nextjs 14, but I found tI was trying to make an app using tRPC, prisma and neon database I am facing some issuesSo what I wanna do is push details of a playlist into DB Here is what I have defined in my trpc/indeGet username from a Clerk userI'm building a blog and I want to display the author's username at the of each blog but I don't knowTagged Union in a Relational Databasereally specific question, how does one represent a tagged union in a relational database? take the Can't delete globally installed npm packagei want to delete the serverless.js npm package that's installed globally if i run `serverless --vers