WebFund 2013F: Tutorial 5

In this tutorial you will examine session-demo, a simple node express application that demonstrates session support.

In this tutorial you should do the following:

• Get session-demo in the same manner you got form-demo running.
• Try logging in to the app using two different browsers (e.g., Firefox and Chrome). What happens when you logout from one browser - how does it affect the other?
• The session state is stored in the browser. Can you figure out the user's username from this information?
• What does the req.body and req.session look like just before a page gets rendered?

To get checked off, show a TA the following using the browser and server debugging tools covered in the last tutorial (or similar tools):

• A session cookie sent by the browser
• A session cookie stored on the server (persistently)

Questions to ponder:

• Who can observe the cookie? Modify it?
• How "persistent" are sessions on the server? The client?
• How could you "hijack" a session? Does the difficulty of session hijacking relate to whether a login is password protected or not?