npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@idagio/session-middleware

v2.0.0

Published

Middleware for creating and managing sessions. Builds on top of @idagio/cookie-middleware.

Downloads

17

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

Keywords

sessionssessionexpressmiddleware

Readme

@idagio/session-middleware

A very opinionated middleware for creating and managing session cookies.

This module builds off the shoulders of @idagio/cookie-middleware to provide a very simply interface to working with sessions. This module doesn't concern itself with storage or validation of sessions, that is left to the user.

All that this module gives you is a way to ensure that there is always a request.session.token value, and a method for resetting that value to be something different.

Usage

var express = require('express');
var Cookies = require('@idagio/cookie-middleware');
var Session = require('@idagio/session-middleware');

var app = express()

app.use(Cookies.middleware);
app.use(Session.middleware);

app.get('/', function(request, response) {
  response.writeHead(200);
  response.end('Your session token is: ' + request.session.token);
});

app.get('/reset', function(request, response) {
  request.session.reset();
  response.redirect('/');
});

app.listen(3000);

You can also use the constructor bare, just like @idagio/cookie-middleware:

var session = new Session(request.cookies, 'my_session_name');

By default, Session.middleware uses the session name of _session, you can override this by writing your own version of the middleware that initializes the Session constructor directly (it's four lines of code), e.g.,

function SessionMiddleware(request, response, next) {
  request.my_awesome_session = new Session(request.cookies, 'my_awesome_session');
  next();
};

// app.use(SessionMiddleware);

Important details around security

You will often use the request.session.token value to store some information in a database or in memory, such that you can use the session token to retrieve that information at a later point in time. In order to prevent Session Fixation, you should ALWAYS do a request.session.reset() before changing the value of the session.

For example, on login:

  1. Carry out whatever logic you have to authenticate the details provided for a user
  2. Call request.session.reset() to get a new session token
  3. Store the pairing of user details with request.session.token in your database (e.g., redis)

You should probably also expire sessions in your storage after a given number of days of inactivity.

API

new Session(cookies, [ name ])

Creates a new instance of the Session handler; cookies is expected to be something that conforms to the API which @idagio/cookie-middleware exposes. Optionally, you can specify a name for the cookie that the session will be stored in, this defaults to '_session'.

Session.prototype.reset()

Generates a new token value, and sets that as the session cookies' value.

Security

This module uses cryptiles for creating random values. At present, the session token is generated using cryptiles.randomString(256).

If you would like to comment privately on the security aspects of this module, please email Em Smith – [email protected].