Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Security

anish raj
PLUS
anish raj
Courses Plus Student 48 Points

Secure login using cookie

In my nodejs app I'm using express-sessions module for login system. I prefer Database for Session ID storage rather than file system storage for some reason. My question as follows.

when user logged In (say A and B) . I have to provide cookie( A-1234 and B-5678) in encrypted form and redirect them to a page of my choice. Now when used navigate to another page. I will retrieve the cookie( which is Unique among all user). and check for the corresponding user and show all their personal Information. Here when I copy the cookie of User A and Paste it in another window of User B. What happening is not at all surprising . All Personal Information of User A is displayed to User B which is unacceptable. But I tried with websites like amazon.com, gmail.com and teamtreehouse.com but they are not displaying 3rd person Information. How to do so?. Thanks in Advance

1 Answer

Steven Parker
Steven Parker
231,268 Points

:mailbox_with_mail: Hi, I got your request.

But I'm not sure why accessing information by pasting the cookie is "unacceptable". It's only possible to paste the cookie because you already successfully logged in as the other user. So your access to the other user's information is legitimate.

I'm not familiar with how those other sites work, but it could be they use something other than or in addition to cookies such as server-side session data for access control.

anish raj
anish raj
Courses Plus Student 48 Points

Thanks for your time Steven Parker. I Appreciate your answer.