I have one doubt while making requst, Browser share the session id to server , does it also share the jwt to token in cookies ? Thankyou sooo much for your valuable content💖
I am excited to start this new playlist ! By the way, your sound is a bit low compared to other videos I watch. This is not a big issue but I noticed that I always increase the volume on your channel, just FYI ;)
I'm glad you like it 👍 I have just re-rendered the videos that are not out yet and bumped up the volume. Unfortunately I cannot change a video once it is published. So starting at part 6 the audio will be louder. Until then I think you will need to turn the volume a little. Sry. for that, still trying to figure out the best technical setup.
we already send the session id to client in the cookie. However, we deliberately set the cookie to HttpOnly so that no JS can access it. The browser will send it along automatically. If no JS on the client side can access it, then we have a smaller attack surface
your explanation is very good brother.. everything is very clear... I ve one little question.. so you set cookie duration as 30 mins... so after expires that user has to re enter credentials and re login while user online in the system... so how to persist the session if i want to do so. for feature like "remember me" option. Thank you so much for sharing this awesome knowledge..
Hi Zillion, the user gets logged out after 30min of inactivity. I.e. if you are inactive for 29 minutes but then you make an action so that your session is modified, then you get another 30min on the clock. The remember-me option would be implemented by keeping the session alive for longer
@@zillionvfx4786 depends on what other security measurements you've taken and what type of application you are building and also on the total amount of users. If you want to keep them logged in for that long, you could also think about using JWTs in local storage / cookie. But I would only do this if you do not need to log someone out from the server side and if you are not working in a highly security-constrained environment (which is what I would assume otherwise you would probably not offer the stay logged in functionality). If you do this, you will also need good XSS protection (content security policy) and proper CSRF protection.
@@jgoebel for even that question you provide me a huge explanation. For that I hit the bell icon also.. you are a goat buddy... Add more cool stuff and thanks a ton again buddy... ❤❤❤
you can call req.session.destroy. This will delete the server side session and thus log out the user immediately: github.com/expressjs/session#sessiondestroycallback
Great Effort. I appreciate it you answer the following question: Will the session be created for any new request (new customer) if there is no login required (for example : a website which is not required any login, then will the session be created for each user, if yes, then what the benefits I can get from the session). if no, then why not ?
You can control this behaviour with the saveUninitialized setting. If it is set to true, then the server would create a session for every new user that does not have a session yet even if no data is stored inside of the session. That would also mean that if you plug in the session middleware and never use it (i.e. you never store something inside of the session), it would generate empty sessions for your users. You can read about this property here: github.com/expressjs/session#saveuninitialized Typically you probably want to avoid doing this because it would be a waste of resources. So if you set saveUnitialized to false (like we do in the tutorial), we only create a session, push it to the session store (Redis) and set a cookie if we are actually saving data inside of it.
Sry. for that, I'm currently trying to figure out the best setup. I re-rendered all the videos that are not out. Since I cannot change videos that are already published, it could be that the audio until part 5 is a little bit low. But from part 6 to end it should be good 👍
I can not be grateful enough. This is my first comment ever on RUclips. You are indeed a great Teacher!
thx
Man, Im still here wondering why you dont have 1Mi + subs... thats insane. Great content, of course liked + subbed
Thanks for the sub!
CRIMINALLY UNDERRATED
This is a gem! Thank you for this video!
Excellent video. I have watched a lot of videos on this topic but this one actually helped the topic click in my head.
Glad you enjoyed it!
I appreciate the walk through with the diagram!!!
Thanks, I'm glad you like it 👍
Well explained, Thank you!
Glad you liked it!
Your just too good Man
👍
I have one doubt while making requst, Browser share the session id to server , does it also share the jwt to token in cookies
? Thankyou sooo much for your valuable content💖
No JWT, Passport or Auth0. Love it!
Thanks, passport would be overkill in that case. Although it might be useful for OAuth 2 and so on. And JWTs don't make good session tokens 😁
awesome explanation.
I learnt a lot from this session series.
thank you so much.
thanks, glad to hear that 👍
Crystal clear!
thanks 👍
amazing description. Love that flow diagram.
Glad you like it 👍
I am excited to start this new playlist !
By the way, your sound is a bit low compared to other videos I watch. This is not a big issue but I noticed that I always increase the volume on your channel, just FYI ;)
I'm glad you like it 👍
I have just re-rendered the videos that are not out yet and bumped up the volume. Unfortunately I cannot change a video once it is published. So starting at part 6 the audio will be louder. Until then I think you will need to turn the volume a little. Sry. for that, still trying to figure out the best technical setup.
I just released part 6:
ruclips.net/video/i6190xVJMh8/видео.html
Audio should be better there
@@jgoebel Sound is perfect now, thanks!
Thanks a lot. Perfect explanation
thx. I'm glad it was helpful!
thank you very much
You are welcome
Hey if we dont want to send the sessionID to client side, is there any way for it.
we already send the session id to client in the cookie. However, we deliberately set the cookie to HttpOnly so that no JS can access it. The browser will send it along automatically. If no JS on the client side can access it, then we have a smaller attack surface
your explanation is very good brother.. everything is very clear... I ve one little question.. so you set cookie duration as 30 mins... so after expires that user has to re enter credentials and re login while user online in the system... so how to persist the session if i want to do so. for feature like "remember me" option. Thank you so much for sharing this awesome knowledge..
Hi Zillion, the user gets logged out after 30min of inactivity. I.e. if you are inactive for 29 minutes but then you make an action so that your session is modified, then you get another 30min on the clock.
The remember-me option would be implemented by keeping the session alive for longer
@@jgoebel Thanks buddy. So if I set one month or more as expiry, is it bad for security?
@@zillionvfx4786 depends on what other security measurements you've taken and what type of application you are building and also on the total amount of users. If you want to keep them logged in for that long, you could also think about using JWTs in local storage / cookie. But I would only do this if you do not need to log someone out from the server side and if you are not working in a highly security-constrained environment (which is what I would assume otherwise you would probably not offer the stay logged in functionality). If you do this, you will also need good XSS protection (content security policy) and proper CSRF protection.
@@jgoebel for even that question you provide me a huge explanation. For that I hit the bell icon also.. you are a goat buddy... Add more cool stuff and thanks a ton again buddy... ❤❤❤
@@zillionvfx4786 thx 👍
What's the best strategy to implement logging user out?
you can call req.session.destroy. This will delete the server side session and thus log out the user immediately: github.com/expressjs/session#sessiondestroycallback
That's good, thanks.
👍
Would be great if you could do one of these with passport js
will add that to my list of potential topics 👍
Great Effort.
I appreciate it you answer the following question:
Will the session be created for any new request (new customer) if there is no login required (for example : a website which is not required any login, then will the session be created for each user, if yes, then what the benefits I can get from the session). if no, then why not ?
You can control this behaviour with the saveUninitialized setting. If it is set to true, then the server would create a session for every new user that does not have a session yet even if no data is stored inside of the session. That would also mean that if you plug in the session middleware and never use it (i.e. you never store something inside of the session), it would generate empty sessions for your users. You can read about this property here: github.com/expressjs/session#saveuninitialized
Typically you probably want to avoid doing this because it would be a waste of resources. So if you set saveUnitialized to false (like we do in the tutorial), we only create a session, push it to the session store (Redis) and set a cookie if we are actually saving data inside of it.
The sound is weak for me
Sry. for that, I'm currently trying to figure out the best setup. I re-rendered all the videos that are not out. Since I cannot change videos that are already published, it could be that the audio until part 5 is a little bit low. But from part 6 to end it should be good 👍
Btw, I just released part 6 - audio should be better there: ruclips.net/video/i6190xVJMh8/видео.html
My speaker is broken
Hello
Hello
after knowing jwt is not that kinda secure enough: 💀💀