Session management components for the Authnomicon project.
@authnomicon/session
is a set of components for maintaining authentication
context during a login session to a web application.
The authentication context is persisted using express-session
,
which stores session data server-side in Redis (via
connect-redis
), memcached
(via connect-memcached
), or
another compatible session store.
A session ID cookie
is set by express-session
, which is transmitted back by the user's web browser
on later requests. This cookie is a token which is used to look up the
associated authentication context, which is then used to authorize requests.
The use of a cookie for authorization is particularly well-suited for the following scenarios:
- Traditional web applications that perform most of the application logic on the server and respond to user input submitted via HTML forms.
- Single-page applications (SPAs) that execute client-side JavaScript to render the user interface (UI) and call APIs hosted on the same origin.
In both of these scenarios, the cookie can be set with the HttpOnly attribute, preventing it from being accessed by JavaScript executing in the browser. This mitigates cross-site scripting (XSS) exploits.
The Authnomicon project uses Passport as an
authentication framework. Web-based authentication schemes are provided by
Authnomicon's authentication
packages. The login session is initiated upon the user authenticating with one
of these schemes. Passport's default session manager is replaced by the
implementation from passport-multilogin
,
allowing simultaneous login to multiple accounts.
- Jared Hanson { }
Copyright (c) Jared Hanson