Difference between revisions of "WebFund 2013F: Tutorial 5"

Latest revision as of 00:58, 4 October 2013

In this tutorial you will examine session-demo, a simple node express application that demonstrates session support.

In this tutorial you should do the following:

Get session-demo in the same manner you got form-demo running.
Try logging in to the app using two different browsers (e.g., Firefox and Chrome). What happens when you logout from one browser - how does it affect the other?
The session state is stored in the browser. Can you figure out the user's username from this information?
What does the req.body and req.session look like just before a page gets rendered?

To get checked off, show a TA the following using the browser and server debugging tools covered in the last tutorial (or similar tools):

Questions to ponder:

Who can observe the cookie? Modify it?
How "persistent" are sessions on the server? The client?
How could you "hijack" a session? Does the difficulty of session hijacking relate to whether a login is password protected or not?

@@ Line 7: / Line 7: @@
 * What does the req.body and req.session look like just before a page gets rendered?
-To get checked off, show a TA the following:
+To get checked off, show a TA the following using the browser and server debugging tools covered in the last tutorial (or similar tools):
 * A session cookie sent by the browser
 * A session cookie stored on the server (persistently)
+Questions to ponder:
+* Who can observe the cookie?  Modify it?
+* How "persistent" are sessions on the server?  The client?
+* How could you "hijack" a session?  Does the difficulty of session hijacking relate to whether a login is password protected or not?