Comments (3)
So the sig is just a hash of the data itself. Since the client controls all the data, it can always resend the data even after uou alter it from the server, because ultimately the client controls it. This is the downside of client side sessions.
You may want to consider using server side sessions instead, where the client cannot control what data is sent back, as that is ultimately the only way to you can expire a session based on an event instead of time: you have to have something stored on the server to know if that given session has been logged out or not.
I hope this helps explain the difference between client side and server side sessions.
I you know a way in which to implement this without any server side storage, you're welcome to open a pull request with an implementation. As far as I know, it is not possible to prevent what you described with client side sessions.
from cookie-session.
@dougwilson thank you for the explanation -- so if I understand correctly, for a given input the session and the session.sig will always be the same every-time it gets generated -- and there's no way for the server to know if this session is no longer valid
from cookie-session.
Yes, that is correct. You can always add a date time in your data you store which is the time you want to expire the session, but the session will then be valid until that time passes, so the log out scenario would still not work since you wouldn't know the exact date time the user will log out ahead of time.
from cookie-session.
Related Issues (20)
- What am I doing wrong? [question] HOT 1
- Clearing session does not remove cookies HOT 8
- Use cookie-session as non middleware HOT 2
- Not working with axios (chrome) but working with Postman HOT 10
- Document: Ambiguity in Signature Documentation HOT 4
- sameSite no longer defaults to 'None' when undefined HOT 4
- session cookie value is exceedingly long and fails Set-Cookie with invalid syntax HOT 2
- secureProxy option to be able to use with non-Express servers behind SSL proxy HOT 1
- Suggestion: a custom name instead of req.session HOT 2
- Update dependency from [email protected] to [email protected] HOT 3
- Is there a risk when someone modifies the userId in the cookie? HOT 2
- Session cookie not sent over from server when using Firefox HOT 4
- Problem using with passport 0.6.0: session.regenerate is not a function HOT 7
- flag Priority=High
- encrypt cookies
- The link to a list of browser cookie limits is dead
- Larger cookies with compression
- cookie options not being set
- Secure flag is ignored
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cookie-session.