Is the top-voted answer given here secure?
As far as I can tell, the communications are not encrypted. Any other holes need to be patched for a truly secure authentification system?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is the top-voted answer given here secure?
As far as I can tell, the communications are not encrypted. Any other holes need to be patched for a truly secure authentification system?
In Express, sessions use cookies to make a connection between a browser and the database. The cookie is encrypted using a secret key you set in the application. If you are interested, this is the code used to encrypt the cookie: https://github.com/senchalabs/connect/blob/master/lib/utils.js#L158-163
If you are afraid that somebody on the network can sniff the traffic, then you should use HTTPS, and if you’re even more paranoid you can encrypt the data again client-side and unencrypt it server-side using Stanford Javascript Crypto Library.