Additional details for destroying sessions and cookies resp. credentials for automatic login within a new logout function
The following functions are necessary for a secure login and session management:
- https-Communication
- with OpenShift form Red Hat that's no problem:
- https://blog.openshift.com/domain-names-and-ssl-in-the-openshift-web-console/
- stackoverflow has additional information to check if https is active:
- req.secure is a shorthand for req.protocol === 'https' should be what you looking for.
If you run your app behind proxy, enable 'trust proxy' so req.protocol reflects the protocol that's been used to communicate between client and proxy.
app.enable('trust proxy'); - and from OpenShift
res.redirect('https://' + req.headers.host + req.path);
}
- see how to integrate this with app.use
- and this is my solution, https for productitve use if there is a proxy, otherwise local test with http, at the time I test:
app.use(function (req, res, next) {
if (req.headers['x-forwarded-proto'] == 'http') {
console.log("REDIRECT TO HTTPS");
console.log("REDIRECT TO HTTPS");
res.redirect('https://' + req.headers.host + req.path);
} else {
console.log("NO REDIRECT TO HTTPS");
next();
}
});
- res.redirect doesn't work with POST - so the redirect was modified to use the host and no longer the path, that forced login with https as desired
- I want to mention, that the above statements must be placed before:
- app.use(express.static(path.join(__dirname, 'static')));
- the app is another story - it must use https always, as there are only AJAX-requests
- cookies must be allowed for session management
- the session management is based on session cookies
- if cookies are not allowed the login is not possible
- login-page as start-page
- the system must force the loginpage, as long as there is no valid login, this is done by configuration options for jQuery Mobile 1.4.5 (go to the end of the discussion!)
- additionally every request checks, if a session is active, if not, login is enforced
- basics for Login and Session-Management:
- https://codeforgeek.com/2014/09/manage-session-using-node-js-express-4/
- but the example did not work, it was not possible to store the session cookie in the client with AJAX automatically
- this information did help - the name-attribute was introduced in app.use(session({ ... and in the node.js part I fixed that ajax-requests don't get a redirect
- cookies - see https://github.com/carhartl/jquery-cookie
- the system delivers a captcha additionally to the entry fields
- https://www.npmjs.com/package/captchapng is used
- later md5 will be additionally used to encrypt the captcha value on the server in the session and to encrypt the user input on the server too before it is compared
- the user enters
- user-name, usually the email-address
- password
- captcha (later)
- the data are checked
- check against the user-table
- check the password, it's simply hashed with MD5 and will be enhanced to unique hash later
- check the user-type, admins have more rights in user-management than others
- When the USER-table is empty the admin is automatically directed to the user-entry, after that the system functions like expected, every user must be installed by an admin to be able to work - normal users can enter new normal users only.
- automatic login with cookie
- if the user uses "remember me" then a cookie stored the credentials of the user
- the credentials are stored encrypted in the cookie
- on invocation the system checks the cookie and does the login automatically
- if the user no longer wishes the automatic login, then he goes back to the login screen and sets off "remember me" and does one more login, that deletes the cookie with the credentials - or he does a logout
- automatic login with indexedDB
- in an app the handling of cookies is rather different depending on the platform and not corresponding to the handling in the browser
- therefore the credentials of an app are not stored in a cookie, they are stored in indexedDB accordingly (and encrypted)
- logout
- a logout-function has been provided
- in the server req.session.destroy(function (err) { ... }); is used to finish the session
- but that is not enough - the server additionally has to destroy the client side cookie: res.clearCookie("server-session-cookie-id");
- as on the client the credentials are stored in an additional cookie, this cookie is destroyed in the client by:
- Cookies.remove("username", {
- domain: location.hostname
- });
- the destruction of the credentials in indexedDB is done clientside too.
No comments:
Post a Comment