StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POExpressjs authentication
text
Body
copied!<p>I have some questions regarding login and sessions. I have this code:</p> <p><strong>The db query:</strong></p> <pre><code>login: function(req,callback) { var query = 'SELECT id FROM users WHERE email = "' + req.body.email_login + '" AND password = "' + hashlib.sha1(req.body.password_login) + '" LIMIT 1'; client.query(query, callback); } </code></pre> <p><strong>The route:</strong></p> <pre><code>app.post('/login', function(req, res, next) { users.login(req,function(err, results) { if (err) { res.render('index'); } else if (results[0]) { req.session.userdata = results[0]; req.session.is_logged_in = true; res.render('site/news'); } } } </code></pre> <p><strong>Auth middleware:</strong></p> <pre><code>var auth = function (req, res, next) { if (req.session.userdata && req.session.is_logged_in === true) { next(); } else { res.redirect('/'); } } </code></pre> <p>I use db store for the session.</p> <p>Now my questions are:</p> <p>1) Is this a safe way to do it? Or should I consider doing it some other way?</p> <p>2) Say I have this URL <code>/domain/users/1</code>, where the last segment is the user id which is used to fetch user data. And on that view I have a form for changing user data. Is it safe to check if the user id matches the session user id and then show the form?</p> <p><strong>In the view:</strong></p> <pre><code>// e.g. get the session.id from dynamichelper if (data.userid === session.userdata.id) { // The form where user can change his data contained within here } </code></pre> <p>The server is going to use SSL.</p> <p>Thanks in advance</p> <p>George</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload