WebFund 2013F: Tutorial 5

From Soma-notes

In this tutorial you will examine session-demo, a simple node express application that demonstrates session support.

In this tutorial you should do the following:

  • Get session-demo in the same manner you got form-demo running.
  • Try logging in to the app using two different browsers (e.g., Firefox and Chrome). What happens when you logout from one browser - how does it affect the other?
  • The session state is stored in the browser. Can you figure out the user's username from this information?
  • What does the req.body and req.session look like just before a page gets rendered?

To get checked off, show a TA the following using the browser and server debugging tools covered in the last tutorial (or similar tools):

  • A session cookie sent by the browser
  • A session cookie stored on the server (persistently)

Questions to ponder:

  • Who can observe the cookie? Modify it?
  • How "persistent" are sessions on the server? The client?
  • How could you "hijack" a session? Does the difficulty of session hijacking relate to whether a login is password protected or not?