Authorization Using Sessions

Questions and Answers

Which of the following is a key difference between sessions and cookies?

• Sessions can only store small amounts of data, while cookies can store large amounts.
• Sessions are specific to a single route, while cookies are accessible across all routes.
• Sessions are stored on the client-side, while cookies are stored on the server-side.
• Sessions are stored on the server-side, while cookies are stored on the client-side. (correct)

Sessions, by default, are designed to persist indefinitely, ensuring data is retained even if the server restarts.

False (B)

What is the primary purpose of using sessions in web applications?

store user state and data

The express-session middleware stores session data in ______ by default, which is not suitable for production environments.

server memory

Match the session data storage method with its characteristic:

Application memory = Simplest method, consumes server memory, data lost on crash, mostly for development Memory cache = Fast access, volatile, suitable for non-critical data Cookies = Popular, bandwidth intensive, limited size (around 4KB), security concerns File or Database = Persistent storage, suitable for production, less complex than memory cache

Which of the following is a potential drawback of using cookies for storing session data?

Cookies are limited in size, typically around 4KB. (B)

Using npm install express-session command installs the necessary plugin to use sessions in a Node.js application.

True (A)

In Node.js with Express, what middleware is commonly used to enable session management?

express-session

When using the express-session middleware, the secret option is used for ______ the session ID cookie.

signing

Match each express-session option with its description:

secret = String used to sign the session ID cookie resave = Forces the session to be saved back to the session store, even if it wasn't modified during the request saveUninitialized = Forces a session that is 'uninitialized' to be saved to the store cookie = Settings object for the session cookie (e.g., maxAge, secure)

In the provided code snippets, what is the purpose of req.session.destroy()?

It clears the current session data. (B)

If a user logs in and the session is correctly established, accessing the login page again should still require entering credentials.

False (B)

What does the maxAge property within the cookie object in the express-session configuration specify?

session duration

The memorystore package is used to prevent ______ by storing session data in memory in a more efficient way.

memory leaks

Match each action to the piece of code that performs it:

Install express-session = npm install express-session Install memorystore = npm install memorystore Redirect to homepage = res.redirect("/"); Set cookie max age = cookie: { maxAge: 24 * 60 * 60 * 1000 }

In the context of session management, what is a 'session store'?

A mechanism to persist session data beyond the default server memory. (B)

Using a session store like MemoryStore completely eliminates the risk of session data loss.

False (B)

What is a typical use case for storing session data in a database instead of in-memory?

scalability and performance

To ensure that session data is not lost when the server restarts, it is recommended to store sessions in a ______.

database

Match the code snippet with its description.

app.get('/logout', function (req, res) = Configures a route to handle user logout and clear the session. req.session.destroy (function (err) = Destroys the session, clearing all associated data. res.redirect('/'); = Redirects the user to the homepage app.use(session({ = Initializes session middleware with specified configuration options.

According to the provided code, what is the purpose of the /user route?

To retrieve the current user's session information. (A)

The code snippet res.status(401).send("No user info") indicates a successful retrieval of user information.

False (B)

What HTTP status code is used to indicate 'Login failed'?

401

The express.static middleware is used to serve ______ files such as CSS, images, and JavaScript.

static

Match each code snippet with its function.

express.json() = Parses incoming requests with JSON payloads. express.urlencoded({ extended: true }) = Parses incoming requests with URL-encoded payloads. bcrypt.hash(password, 10, function (err, hash) = Hashes a password using bcrypt res.sendFile(path.join(__dirname, 'views/login.html')) = Sends a file as an HTTP response

What does the following line of code accomplish: const username = formLogin ['txtUsername'].value;?

Retrieves the value entered in a form field with the name 'txtUsername'. (C)

It is safe to store passwords directly in a database without encryption.

False (B)

What library is used to encrypt passwords?

bcrypt

When bcrypt's compare function returns true, it means that entered password ______ password in database.

matches

Match the action performed in the code snippets with the user type that is allowed to perform that action.

Access the '/dashboard' route = Admin users (role == 1) Access the '/shop' route = User users (role == 2) Perform login = All users of the system Add product = Only admin can.

What middleware helps with serving static files?

express.static (D)

If a user has an active session, accessing the root route ('/') will always redirect them to the login page.

False (B)

What does location.replace(data) do?

forward to another page

HTTP is a ______ protocol.

stateless

Match the definition with its description.

cookie = a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests. session = a way to store information about the user across multiple pages of your website. localhost = a hostname that refers to the computer that it is running on. port = a virtual point where network connections start and end.

Which of the following is likely the least secure storage for session data?

application/server memory (A)

The term web system has only one member.

False (B)

According to the texts, why can sessions increase web security?

help prevent unauthorized access

The term web application refers to a ______ system.

real

Match the following code with the file where it is likely to be found:

const express = require("express"); = app.js <link rel="stylesheet" href="/public/css/bootstrap.min.css"> = index-login.html const con = mysql.createConnection({ = db.js <button class="btn btn-danger">Sign out</button> = dashboard.html

Flashcards

Session

A technique to keep user's state and data for the server to remember.

Application memory for sessions

Storing session data in application memory consumes server's memory and data is lost if the server crashes. Not recommended for production.

Cookie for sessions

A session data storage method; bandwidth is taken every time exchanging data occurs. Limited by cookie size and should pay concern to security.

Creating sessions

Sessions are created server-side and can store values shared across all back-end services.

'express-session'

A Node.js plugin used to manage sessions in a simple way.

req.session.destroy()

Clears the session variable, which redirects the user to the login page.

Default session storage

Stores sessions in the server's memory, which can lead to memory leaks in production.

MemoryStore

An effective technique for session storage that avoids memory leaks.

Session

A technique to remember something at the server side and is necessary for real web applications because a web system usually has several uses and it needs to keep track of each user.

Protect Backend Routes

Help prevent unauthorized people from calling the protected API services.

Session's Usage for the Front End

Allow accessing only permitted pages and remember the users until the session expires.

Session and 'memory leak'

It must handle 'memory leak' possibility and one technique to lessen that chance is to use 'session store'.

Study Notes

Authorization Using Sessions

• Sessions are a technique to store user state and data on the server, similar to cookies, but server-side.
• Sessions act like server variables, accessible across all routes in the server after creation.

Data Storage Options for Sessions

• Application Memory
  • This is the simplest method.
  • It consumes server memory.
  • Data is lost if the server crashes.
  • It's primarily for development, not production.
• Memory Cache
• Cookie
  • This is a popular method.
  • It consumes bandwidth with every data exchange with the server.
  • It's limited by cookie size (around 4 KB).
  • Security should be a concern.
• File or Database

Implementation

• Sessions with application memory and files are preferred for their simplicity and practicality.
• In Node.js, express-session is a plugin to simplify session use.
• Installation is done via npm install express-session.

Session Usage

• Sessions are created server-side.
• They store values shared across all back-end services.
• Example: remembering user info after login for use on another page.

Login/Welcome Page Example

• Correct credentials ("admin"/"1111" or "user"/"2222") redirect to a welcome page.
• The welcome page uses session data to display the user's ID and username.
• Already logged-in users bypass the login page, redirecting to the welcome page.

app.js Configuration

• Express, path, and express-session are required
• The "public" folder is set as a static folder for direct user access.
• Express.json() and express.urlencoded() are used for JSON exchange.
• Session middleware configures session settings like cookie max age, secret code, resave, and saveUninitialized.

Login Route

• Handles user login by checking username and password.
• On successful login, keeps the username and userID in the session.
• Redirects to the "/welcome" route.
• Sends "Login failed" with a 401 status for incorrect credentials.

Logout Route

• Clears the session variable using req.session.destroy().
• Handles errors during session clearing, sending a 500 status if it fails.
• Redirects to the homepage ("/") upon successful logout.

Get Username Route

• Retrieves user information (userID and username) from the session.
• Returns user data as JSON if a session exists.
• Sends "No user info" with a 401 status if no session exists

Welcome Route

• Checks for a session
• Sends the "welcome.html" file
• Otherwise redirects to "/"

Root Route

• Checks if a user is already logged in via session.
• Redirects logged-in users to "/welcome".
• Serves "index.html" (login page) for non-logged-in users.

Client-Side Login Script

• The login form prevents default submission
• It retrieves username and password from input fields.
• It sends a POST request via fetch with the user credentials.
• It redirects to the welcome page upon successful login.
• It displays an error message using SweetAlert2 for login failure or connection errors.

Logout Implementation

• The logout button calls the /logout route which clears the session
• This redirects to the login page

Session Stores

• Default sessions are stored in server memory and are lost when the server is closed.
• This creates memory leak
• This can be solved with a session store (e.g. MemoryStore)
• MemoryStore can be installed via npm install memorystore

Session Store Setup

• After installation, require memorystore inside app.js
• When calling app.use(session({...}) add store: new MemoryStore({...}) inside the object
• Also add a checkPeriod with appropriate prune timings

Session with Database Example

• Create a database called 'webpro' with two tables called 'user' and 'product'
• 'user' will contain user information such as ID, username, password, and role
• 'product' will contain product information such as ID, product name, price, amount, and image
• Passwords in the database should me hashed with 'bcrypt'
• When using the login functionality, the password in the database should be compared with the username from the user input
• The database and table structure must be setup properly

Summary

• Sessions are server-side
• Sessions are necessary for keeping track of users
• Sessions help increase web-security
• Sessions can help prevent unauthorized users from calling APIs
• Using sessions must handle the 'memory leak' possibility
• It's possible to store sessions in databases, and configure roles