Session & Cookies
Some time ago, I started backend development with node.JS, express.JS and mongo DB, I was completely lost on how everything works, over the months I have built a small understanding of how things work. I can now build a somewhat basic backend.
The above paragraph is for you to understand where I am coming from.
Right now I am figuring out how session and cookies work in a website using react.JS, prisma, express.JS, passport.JS, postgresql and node.JS (before for auth, I would use JWT tokens), When learning them, I went through the internet and came across explanations on their usage. They told me this, when logging in you have to store sessions in the database like this.
and when logging out first destroy the session from the machine with this code.
and then delete the session from the database, So lets suppose I use something like
So here is my question, when deleting the session from the database do I manually have to delete them like above or is there some inbuilt code for handling that, without using prisma. Also Some recommendation for backend topics will be appreciated.
4 Replies
You should invalidate (delete or only mark as expired) the session from the database and check the validity of it on every secure request with your database
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#logout-button
a good read if you want to understand cookies security to a industry standards
Session Management - OWASP Cheat Sheet Series
Website with the collection of all the cheat sheets of the project.
also depends on how you check cookies
Thanks for answering, I have another question. What's the point of saving the session in the database when the user logs in and deleting the session from the database when the user logs out?
Ok it got solved. Thanks anyway.
Express can't by itself tracks users, so it need two references: the cookie and the record of the session manager. It is part of the process of express to check what users are active and which don't. Usually you would prune the DB with a scheduled task.