expressjs / cookie-session

Simple cookie-based session middleware

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Access & modify a specific user session

LM1LC3N7 opened this issue · comments

Hi,

I'm searching how I can access to a specific user session and change it.

For exemple:

  • An admin remove the admin right of a specific user
  • This user is already connected but is forced to disconnect in order to apply his new rights

How can I modify or delete a specific user session from another user?

Hi @flexbrane it's possible for your use-case you may want to use something like expess-session module instead of this module. Since this module stores nothing on the server and stores all information in the user's web browser, it's not possible to access any user's session to change it without building out an entire system on your end. Modules that store sessions server-side like express-session make what you're trying to to trivial (look up the session in the db and modify it).

But to do this, I must use another database, right?

To me, cookie-session was only store a session id in the web browser, id that corresponding to a server session store in RAM. I'm am wrong?

Because when I restart my server, all sessions are reseted.

To me, cookie-session was only store a session id in the web browser, id that corresponding to a server session store in RAM. I'm am wrong?

That is not correct; the entire session is within the web browser; this module has no session IDs at all, nothing is stored in server memory and there are no connections to databases from this module.

The contents of req.session are run through JSON.stringify() and then that resulting string is stored, base64, in the cookie. That's why you need to keep in mind how much you store in your session so you don't grow your cookie too large (https://github.com/expressjs/cookie-session#max-cookie-size).

Thank you for these explainations!

So I must use another cookie module, like express-session