99
votes

Using Express.js, sessions are dead simple. I'm curious how they actually work though.

Does it store some cookie on the client? If so, where can I find that cookie? If required, how do I decode it?

I basically want to be able to see if a user is logged in, even when the user is not actually on the site at the time (like how facebook knows you're logged in when you're on other sites). But I suppose to understand that I should first understand how sessions work.

4

4 Answers

45
votes

I have never used Express.js, although according to their documentation on the subject it sounds like:

  • Cookies are stored on the client, with a key (which the server will use to retrieve the session data) and a hash (which the server will use to make sure the cookie data hasn't been tampered with, so if you try and change a value the cookie will be invalid)

  • The session data, as opposed to some frameworks (e.g. Play Framework!) is held on the server, so the cookie is more like a placeholder for the session than a holder of actual session data.

  • From here, it looks like this session data on the server is by default held in memory, although that could be altered to whatever storage form implements the appropriate API.

So if you want to check things without a specific req request object, like you said, you need to just access that same storage. On the bottom of the first documentation page, it details required methods the storage needs to implement, so if you're familiar with your storage API, maybe you could execute a .getAll() if something like that exists, and loop through the session data and read whatever values you want.

173
votes

Overview

Express.js uses a cookie to store a session id (with an encryption signature) in the user's browser and then, on subsequent requests, uses the value of that cookie to retrieve session information stored on the server. This server side storage can be a memory store (default) or any other store which implements the required methods (like connect-redis).

Details

Express.js/Connect creates a 24-character Base64 string using utils.uid(24) and stores it in req.sessionID. This string is then used as the value in a cookie.

Client Side

Signed cookies are always used for sessions, so the cookie value will have the following format.

[sid].[signature]

Where [sid] is the sessionID and [signature] is generated by signing [sid] using the secret key provided when initializing the session middleware. The signing step is done to prevent tampering. It should be computationally infeasable to modify [sid] and then recreate [signature] without knowledge of the secret key used. The session cookie is still vulnerable to theft and reuse, if no modification of [sid] is required.

The name for this cookie is

connect.sid

Server Side

If a handler occurs after the cookieParser and session middleware it will have access to the variable req.cookies. This contains a JSON object whose keys are the cookie keys and values are the cookie values. This will contain a key named connect.sid and its value will be the signed session identifier.

Here's an example of how to set up a route that will check for the existence of the session cookie on every request and print its value to the console.

app.get("/*", function(req, res, next) {

    if(typeof req.cookies['connect.sid'] !== 'undefined') {
        console.log(req.cookies['connect.sid']);
    }

    next(); // Call the next middleware
});

You'll also need to make sure the router (app.use(app.router)) is included after cookieParser and session in your configure section.

The following is an example of the data stored internally by Express.js/Connect.

{
  "lastAccess": 1343846924959,
  "cookie": {
    "originalMaxAge": 172800000,
    "expires": "2012-08-03T18:48:45.144Z",
    "httpOnly": true,
    "path": "/"
  },
  "user": { 
    "name":"waylon",
    "status":"pro"
  }
}

The user field is custom. Everything else is part of session management.

The example is from Express 2.5.

9
votes

I'm curious how they actually work though.

Try to look at this answer and wiki stuff.

Does it store some cookie on the client?

Yes, it's usually a cookie with assigned session ID, which should be signed with a secret in order to prevent forgery.

If so, where can I find that cookie? If required, how do I decode it?

You shouldn't mess with a session cookie on the client side. If you want to work with sessions on the server side you should check out related express.js and connect docs.

3
votes

In addition to already excellent answers, here are 2 diagrams I've created to explain Express sessions, their link with cookies and store :

  • chocolate cookie: chocolate
  • strawberry cookie: strawberry

Diagram's explanation:

Each cookie has a unique "flavor" (or sessionId). When the strawberry cookie is presented to the server (within the HTTP request), the server recognises this flavor and loads from the store the corresponding datas: Rosie's datas, and populates req.session with.