WebFund 2013W: Sessions

From Soma-notes
Revision as of 18:18, 15 February 2013 by Soma (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

In this tutorial we'll examine a simple express demo that lets you set a session by "logging in". Note that there is NO SECURITY in this example. We will cover that later!

First, download and look at demo-session-auth. After running "npm install" in the directory, you should be able to run "node app.js".

(If you need to get node running on Windows computers where you don't have admin access, see the last tutorial.)

You'll notice this app allows you to login, and then once you are logged in you stay logged in until you log out. Your login state is stored in a cookie managed by express. Specifically, notice how this code makes use of the session functionality of connect.

To test your understanding, modify this application so that when you login, you get a list of logged in users. With each user is associated personal information that can be updated by just that user. Specifically, implement the following

  • /: Login screen if you aren't logged in
  • /: List of logged in users, if logged in
  • /info: information on the logged in user in editable fields (name, address, email, invisible)
  • /update: update personal information (POST for /info form)

The "invisible" toggle should control whether the user shows in the list of logged in users. Logout should take you back to the login screen or a custom "you've logged out, click here to login again" screen.

While implementing this, consider:

  • How hard is it to keep per-user information separate?
  • What is the secret used to initialize the cookie? Why is it needed?
  • What do the session cookies look like?
  • What part of the app sets the cookie? Retrieves it?
  • Where should you store per-user information persistently (at least, for as long as the web server is running)?

Good luck!