You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: nodeJS/authentication/session_based_authentication.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -275,7 +275,7 @@ And edit the homepage to show a personalized greeting with a logout button (whic
275
275
</html>
276
276
```
277
277
278
-
### Handling post-login requests
278
+
### Handling requests after login
279
279
280
280
As of now, our `GET/` route will always display the homepage and will crash if someone has not yet logged in! There would not be a cookie and therefore no session to deserialize, so `req.session` would contain a fresh session object without any user properties. We can write a middleware that checks `req.session` and if it has a user ID in it, we can use it to query the db and grab any user info we need, then continue to the homepage. Otherwise, the user is not authenticated and we can redirect to the login page.
We don't need to modify any of its options, as the defaults all meet the [password storage recommendations set by OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#introduction) (Open Worldwide Application Security Project). Now in our `POST/login` middleware, we can also use argon2 to verify the submitted password against the stored salted hash.
371
+
We don't need to modify any of its options, as the defaults all meet the [password storage recommendations set by OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#introduction) (Open Worldwide Application Security Project). Now in our `POST/login` middleware, we can also use argon2 to verify the submitted password against the stored salted hash:
372
372
373
373
```javascript
374
374
app.post("/login", async (req, res, next) => {
@@ -432,7 +432,7 @@ The following questions are an opportunity to reflect on key topics in this less
432
432
- [What library can we use in Express to implement sessions?](#implementing-sessions)
433
433
- [Why do we need to set a session secret?](#session-secret)
434
434
- [How should the server respond if a user successfully logs in?](#logging-in)
435
-
- [After a user has logged in, how can the server recognize them for future requests?](#handling-post-login-requests)
435
+
- [After a user has logged in, how can the server recognize them for future requests?](#handling-requests-after-login)
436
436
- [What should the server do to "log a user out"?](#logging-out)
437
437
- [If we are to store passwords in our database, how can we ensure secure storage?](#storing-passwords-securely)
438
438
- [Should passwords be encrypted for storage and why/why not?](#storing-passwords-securely)
0 commit comments