科技回声

Hi Hackers,I'm a naive web developer who is trying to build a small web application using Node.js and React.js. Currently I'm stuck at session handling for the chosen technology stack. I have seen some examples(One example : https://github.com/rdegges/svcc-auth ) which use Node.js for the back end and Jade template engine for the front end. In such applications, sessions are being handled only the server side. I'm facing difficulties in doing the same thing with Node.js and React.js combination because I'm handling the routing on the client side using react router.I'm a bit confused about session handling in web applications. So, I wanted to know what a typical session handling architecture looks like in web applications and what is the correct way (best way) to implement this for Node.js + React.js combination.Any links/resources/comments are highly appreciated.

I've only this week began working with React, so I can't speak for that specifically, but sessions generally have the same idea across most languages, IMO.A session is nothing more then a handful of variables and values stored somewhere specific to the user that can be passed back to the server, a query of sorts ran using those values and an output provided.(generally speaking)In PHP, a PHPSESSID generally gets stored on the users machine in a cookie when a user visits a page where session_start() has been executed. That ID corresponds to an array ( $_SESSION ) on the server where for example user_id, name, email, might be set and used to generate this query with the query looking something like (very generic) select * from users where id=$_SESSION['user_id']Your using NodeJS which means your probably using a document store like Mongo so you can't really do queries in the traditional sense, but you can request variable documentsIn a recent AngularJS / Firebase app I built, I use localstorage service to store non-critical information - id, name, email, etc... NEVER the password. Name and email are for presentation - when a user loads a page, it's nice for the system to show them who they are - but user_id is what gets passed back to Firebase to do the lookup so in the case of Firebase the "query" is site.firebaseio.com/users/user_id - this will spit out whatever you have stored in /users/user_id be it chat history, email address, etc...Could someone modify localstorage variables? yeah probably - but that's why on the server side (your NodeJS) your gonna check the incoming variable, make sure it's nothing malicious and pass it into the DB and in the case of Firebase, you can setup access rules to further limit who has access to what.I'd assume a localstorageservice is available to React or something similar. It would be a good place to start.And NEVER store sensative information in a cookie / session / localstorage, including address info or CC info.(2 cents, I may be completely absolutely wrong)

Ask HN: What is the correct way of session handling in web applications?

1 comment

Ask HN: What is the correct way of session handling in web applications?

1 comment