I have some questions regarding login and sessions. I have this code:
The db query:
login: function(req,callback) {
var query = 'SELECT id FROM users WHERE email = "' + req.body.email_login + '" AND password = "' + hashlib.sha1(req.body.password_login) + '" LIMIT 1';
client.query(query, callback);
}
The route:
app.post('/login', function(req, res, next) {
users.login(req,function(err, results) {
if (err) {
res.render('index');
} else if (results[0]) {
req.session.userdata = results[0];
req.session.is_logged_in = true;
res.render('site/news');
}
}
}
Auth middleware:
var auth = function (req, res, next) {
if (req.session.userdata && req.session.is_logged_in === true) {
next();
} else {
res.redirect('/');
}
}
I use db store for the session.
Now my questions are:
1) Is this a safe way to do it? Or should I consider doing it some other way?
2) Say I have this URL /domain/users/1, where the last segment is the user id which is used to fetch user data.
And on that view I have a form for changing user data. Is it safe to check if the user id matches the session user id and then show the form?
In the view:
// e.g. get the session.id from dynamichelper
if (data.userid === session.userdata.id) {
// The form where user can change his data contained within here
}
The server is going to use SSL.
Thanks in advance
George
In the db query code, check for req.body.email_login and req.body.password_login to make sure they’re not null and that they’re strings. Someone could sent an empty response and that will generate an Internal Error on your side.
Also in the route, you might want to log the error and redirect the user to the /500.html page (internal error):
You shouldn’t do this in the view:
Try instead to achieve this in the model (preferably), make a function for it and pass only one parameter to the view like so:
The function from the model:
You can call it from the route like so (for ex):