On my node.js server (running express and socket.io), when a person connects, I add them to an array and save their location in the array into their session so each connection has access to their own information like so:
session.person_id = people.length;
session.save();
people.push(new Person());
//people[session.person_id] => Person
And the only thing that I save in the session is person_id. I have been using express.session() to handle this, which has been working fine until I started sending information to everyone who is connected at once. As I loop through their connections and get their sessions, sometimes (I can’t figure out how to dupe the error) session exists but not session.person_id.
Anyways I’m hoping that by changing how I store the session, it can help me figure out my problem. So I have a few questions that I can’t find answers to anywhere.
- Where is the cookie from express.cookieSession() stored? Server-side or client-side?
- Does express.cookieSession() allow for multiple servers running behind a load-balancer?
- Is it possible for a user to manipulate session data when using express.cookieSession()?
1 – Where is the cookie from express.cookieSession() stored? Server-side or client-side?
The cookie is sent on the replies from the server, and the browser sends that cookie back with each request.
2 – Does express.cookieSession() allow for multiple servers running behind a load-balancer?
Yes, if you use a shared store (like RedisStore)
3 – Is it possible for a user to manipulate session data when using express.cookieSession()?
Not if you use signed cookies (the default for session cookies in express when you provide a secret when initializing the session.