I'm still a beginner in using sessions and cookies and I don't understand this, so I want to ask:
1. Does each user only have 1 Session ID?
2. What is a Session ID?
I tried to store data in session, but when I tried to store other data it had a same Session ID. So how do I know who this data belongs to?
I actually want to make a shopping cart in react.js SPA using backend express. but i dont know how to store this data cart. so far what I have done I want to save the data cart into a session, like product_id and product_variantand then call this product_id and product_variant in database based on this Session ID.
Correct Me If I'm Wrong. Thanks
You should be generating the session ID & then storing it in a database & attaching it to a user ID. That way you know the user by looking for their session ID when they move around the website/software.
You can also record things like their IP address, browser information, and time of access to make it a tad bit more secure - making it harder for a hacker to hijack their session information.
Also, the only other thing I should mention is that you should not be storing private information in the session data. For example, do not store their account ID in the session variables or their password/email/username/etc. It is possible to modify session data & access other accounts if you rely on the session data itself to tell you who a user is. The encrypted/randomized session IDs can be so unique that it is near impossible for a user to reasonably trick your server into thinking they are a different account. So that's why we store them in the database w/ additional information instead of setting other session variables.
Example:
In PHP we could have the session_id(), but also store things like $_SESSION['setting'], or $_SESSION['theme_choice'] and other trivial settings to prevent having to look it up in the database every page load.
Related
I don't know which forum suits this question, so suggest me to move...
I do not want to store current user data in browser (cookie,session storage or local storage).
So what else options are there,
Heard about the redux- pattern ng-rx does it holds data even after refreshing the page, if yes where does it store the data.
I am very much new to angular and have experience with .net where we store data on server side using session or anything else like memcache etc.
I can only see one option to use any database to store data like firestore or anything else.
what else options I could adopt to store user sessions data or temporary data which should be available even user refresh the page.
I am using Angular2 & Auth0 to Authenticate a user.
Currently, according to their "best-practice" , the user profile is saved to localStorage , and once you need to pull information, take it from there.
This sounds like a bad practice to me, is there a better way to keep logged in profile for local query (name, photo etc.)? maybe using an Angular2 service?
The problem is if you want to keep the user profile for later use (if the user close the window and reopen it later) without having to make request to a server. Then you need to store it somewhere.
And storage facilities in the browser are quite limited: IndexedDB for database storage with query capabilities, indexes, etc, localStorage for simple key=>value storage,or even cookie for a limited amount of data as plain-text.
but if you don't need the data for a later use, you can keep it in memory (in a service, for example).
You can also combine both in-memory and offline-storage in a service.
You can combine both ways.
Storing it in localstorage to get that infos without request them anytime and wrapping a Service around it to not address the storage from everywhere.
I'm trying to make a basic social networking application following Write Modern Web Apps with the MEAN Stack book.
The end result should be: https://mean-sample.herokuapp.com/
I got through to getting user accounts set up, having a user log in and create a personalized post. But as soon as I refresh, the user gets logged out.
What am I doing wrong? And how do I fix this?
In the client side we cant maintain the session, we need the server support to it. There are many ways to maintain the session
1 Token based, for each request to the server, the server will check whether token exists or not.
2 We can store in the localstorage while refresh the rootscope will be, at that time we can take from local store and populate the page objects.
Maintaining in server side is secured and advisable.
use localstorage, it will help you in maintaining the session and also store user details temporarily.
Refer this for more details
https://github.com/grevory/angular-local-storage
I'm already familiar that MongoDB is based on documents that are in JSON format. I'm creating my first web app using the MEAN stack, where users can register and then be able to sign in to a back-end dashboard where they can implement products/profile information etc. How would I set that up to be stored on MongoDB? would each user be stored as a document? And as far as security reasons, how can I go about not allowing a GET request to be able to get a different users information?
Currently, I just have a collection of users, and a collection of products (with the unique id number for each user), etc. to me that doesn't seem the proper way to store data.
If anyone can help me on how to setup the database for Mongo that would be fantastic! Thanks in advance!
would each user be stored as a document?
Yes, each user is an object, thus it's stored as a separate document.
how can I go about not allowing a GET request to be able to get a different users information?
This has nothing to do with Mongo or any other data storage mechanism. You'll need to work on a Web service layer which exposes your data filtering requests to authorize them based on user role, claims or any authorization approach you might find useful in your scenario.
Maybe you should look at implementing OAuth2. There's a package that integrates with Express to implement your own OAuth2 authorization server: node-oauth2-server.
Currently, I just have a collection of users, and a collection of
products (with the unique id number for each user), etc. to me that
doesn't seem the proper way to store data.
You are on the right way actually. Now when you show products page for users you need to retrieve only documents that belong to that single user that is currently authenticated, this implies that you have authentication set up, and products have a userId field.
This is how most application work. If you want to read about other ways of solving this then read about multi-tenancy.
I am currently learning about security aspects in web applications.
My application used to identify the current user by a cookie which was created on successful login. It contained the user's id. Every time the user has made a request to the database, my application would use that id to select only those results that were associated with this id.
However, as I learned, it would be no problem at all to simply change that cookie's value and therefore get access to another user's data.
My issue now is: how would I safely store such data and make it available to both PHP and Javascript?
I thought of HTML5 sessionStorage, but that would be vulnerable too.
My second thought was to store it by PHP only in a $_SESSION variable, but then I could not access its value via Javascript.
I feel like I can not wrap my head around the basic concepts of how to create a secure and functional user-management system.
Any help will be appreciated.
I would store the user id data only in the session. Why do you need cookies?
To communicate between JS and PHP use ajax. Best library for this is jQuery
.
Simple solution:
Add a userKey field to the database.
When user logs in, generate a random unique string and save it in DB
Save this string in cookie. Save user ID in cookie.
On the next visit, select from the database user with the corresponding userKey and ID.
It is somewhat secure, because the string is random, so only bruteforce helps.
Longer the string - harder to bruteforce.
The solution is simple, it can be upgraded by using crypting of ID, checking IP, etc.