WebFund 2014W: Tutorial 3
In this tutorial you will examine session-demo, a simple node express application that demonstrates session support.
In this tutorial you should do the following:
- Get session-demo in the same manner you got form-demo running.
- Try logging in to the app using two different browsers (e.g., Firefox and Chrome). What happens when you logout from one browser - how does it affect the other?
- The session state is stored in the browser. Can you figure out the user's username from this information?
- What does the req.body and req.session look like just before a page gets rendered?
To get checked off, show a TA the following using the browser and server debugging tools covered in the last tutorial (or similar tools):
- A session cookie sent by the browser
- A session cookie stored on the server (persistently)
Questions to ponder:
- Who can observe the cookie? Modify it?
- How "persistent" are sessions on the server? The client?
- How could you "hijack" a session? Does the difficulty of session hijacking relate to whether a login is password protected or not?