30

I am using node/express with passport in my development. I came across an article which says:

Express loads the session data and attaches it to the req. As passport stores the serialised user in the session, the serialised user object can be found at req.session.passport.user.

But to my surprise, the value for sessionID stores in the browser cookies remain the same before and after login. So where does the serialised user object is stored?

I thought that it was stored in the user sessionid cookie initially but it seems that this is not the case as I still can access my user object with req.session.passport.user

Sunil Garg
  • 14,608
  • 25
  • 132
  • 189
desmondlee
  • 1,643
  • 4
  • 21
  • 33

2 Answers2

53

So where does the serialised user object is stored?

In Short

The serialized user object is stored in req.user by PassportJS taken from req.session.passport.user (which is is populated by Express) with the help of Passport's deserializeUser method.

Express adds the id of the session object into a cookie on user's browser, which is sent back to express in a header on every request. Express then takes the id from the header and search the session store (i.e. Mongo or whatever) and find the entry and load it to req.session.

PassportJS uses the content of req.session to keep track of the authenticated user with the help of serializeUser and deserializeUser methods (for more information on workflow of serializeUser and deserializeUser see my answer in this SO question).

Express is responsible for creating the session. when does the sessions gets created? That is when Express do not detect a session cookie. So the order in which you organize your session and passport configs in your app or server.js file is very important. If you declare your session and passport configs above static directory configs then all requests for static content will also get a session, which is not good.

See my answer to this SO question, where I have mentioned about static content access as well as how to selectively apply passport to certain routes, rather than default (you might not need to authenticate all the routes - hence you could avoid unnecessary session store lookup and de-serialization by attaching session only to requests that map to secure URLS see below). 

//selectively applying passport to only secure urls
app.use(function(req, res, next){
  if(req.url.match('/xxxx/secure'))
    passport.session()(req, res, next)
  else
    next(); // do not invoke passport
});

There is one amazing tutorial that I highly recommend you to read up if you want to understand the workflow of PassportJS.

Community
  • 1
  • 1
Raf
  • 7,505
  • 1
  • 42
  • 59
3

You can look at the sessionID in the cookie as a key to a database where the session data is stored. Depending on what session handler you use with express, and what storage policy you use the data will be stored in different ways. This means that the sessionID can be the same value both before login, after a successful login, and even after a user logs out.

If you use express-session with MemoryStore the data will be saved in the memory of the node process, indexed on the sessionID. Look here for initialization of the store and here for storing of the data.

You could create a store where the data is serialized to the cookie, but none such are listed in the compatible session stores.

bolav
  • 6,938
  • 2
  • 18
  • 42