Search code examples
node.jsexpressexpress-session

express-session: i don't understand why it can be secure

ok i saw this example and like the cookie is encrypted.

var app = express()
app.set('trust proxy', 1) // trust first proxy
app.use(session({
  secret: 'keyboard cat',
  resave: false,
  saveUninitialized: true,
  cookie: { secure: true }
}))

This is my question, let's say A and B sit next to each other, B copies A's request which includes the session info (encrypted cookie) and put in his request. Yes B cannot decrypt the cookie, but so what ? From server side, it checks the session info, it's using the same secret for A and B. So the request went through.

So how's this session be more useful than cookie from security point of view ?

Solution

  • express-session: i don't understand why it can be secure

    If you run with https and your physical computer is secure from outsiders, then your express session cookie is protected from outsiders when stored locally and is protected (by https) when in transport to the server.

    So, as long as the session cookie is protected from being stolen, then access to the express-session data stored on the server will be available only to a computer who has that session cookie.

    This is similarly true of regular cookies too (who also need https to be secure), but the difference with a session cookie is that it doesn't contain any actual data. It contains only an encrypted ID that is used by the server to identify which session object corresponds with that user. Session data is then only available on the server itself which further insulates it from some types of attacks.

    This is my question, let's say A and B sit next to each other, B copies A's request which includes the session info (encrypted cookie) and put in his request.

    If B can see A's cookies because A is not using https and B has access to A's network, then nothing is secure. You need to use https for either plain cookies or session cookies to have any decent level of security. In fact, even when A logs in would likely be insecure if B can watch the whole transaction on the network.

    So how's this session be more useful than cookie from security point of view ?

    Neither is secure if your running them over http. Both can be secure if you're running them on https. But, a session has all sorts of features that storing actual session state in a plain cookie does not such as the ability to maintain a session across multiple devices (when session storage is made persistent and be reattached to any login from a user from any device), to provide session storage of larger and richer state (way beyond what can be stored in a plain cookie), etc... Server-side sessions are just more flexible and more powerful - which is one reason why they are popular.