Express login with express-session
Clone this repo or follow the steps below to learn about setting up a Node/express app that enables login, logout and secure routes.
|0. boilerplating||These steps will set up an initial project.|
|0.1||Install express-generator globally
|0.2||Create a new project named login in a new folder login and add pug support (instead of Jade).
|0.3||Install dependencies by executing
|0.4||You will see warnings, depending on how many vulnerabilities are found.
In this case you can fix it by running
After running this no vulnerabilities are reported and we can go ahead and start the app
|0.5||start the app by one of the following commands:
|0.6||Point your browser to
In our console we see:
|1. create login form||After completing these steps we have a new page and route.|
Note that bootstrap has 2 peer dependencies: jquery and popper.js. We don't need these, because we are just going to use the css. This is a list of ways to handle the
1. Ignore the warnings; not desired because the team will ignore all npm output
2. Install peer deps:
3. Install as dev deps:
4. Use ignore-warings: Unclear how to use yet, but it seems like a legit way of avoiding 2 and still keep npm output clean
5. use bootstrap cdn; Preferred to install locally to allow offline dev
6. manual install bootstrap; deps should be in package.json for keeping all updatable and visable for npm audit
|1.3||add the route to
|1.5||update layout.pug to include bootstrap
|1.6||current result routes default route to login
|2. add about-page and header||Follow below steps to add about page and header|
|2.1||Before we continue, I like to clean up some logging.
You can remove morgan from
While we are at it;
To see if
Now we can add debug info like so (in app.js):
|2.4||then there are some bits and pieces to fix in
- add error placeholder
- add link to about page
- change button to input, so the enter key works
|3. finalize login||There still stuff left to do. The examples just support login and logout, and the session is killed after 6000 ms (6sec)|
|3.1||We can remove the line
Logout removes the session.loggedIn flag, Login sets it and calls checking the credentials. A separate function is created to check the credentials called
- clean start
- wrong login
Questions / evaluation
These are answers that I seek answer to before starting this document, raised during creation and reviewing the code.
|Do I need passport and passport local for logging in?||no. Minimum is
|What is the simplest way of creating login/logout? Cookies? Server-side session?||This solution creates a cookie even when the user isn't logged in. This is a session cookie.
The value is
More on cookie security
|Can I identify the user, so I can create access groups and allow different routes per user?||No. In this case only a boolean is stored:
|Is this the simplest example?||For testing the session, you need at least 1 or 2 'secure' routes, login- and logout route and some kind of views. With a SPA the backend can be smaller.|
||For now it seems ok.|
|What are generic security recommendations?||On the express-session page it says:
Warning The default server-side session storage, MemoryStore, is purposely not designed for a production environment. It will leak memory under most conditions, does not scale past a single process, and is meant for debugging and developing. It seems MongoDB can store the session.