Cookies

    • Every request is independent of the previous ones
    • Cookies & sessions save state

    Cookies are visible to users

    Don’t trust cookies

    • Use signed cookies to ensure they’re not tampered
    • cookies can be used for XSS attacks
    • Sessions use cookies but they are safer
    • Express knows how to handle sessions
    • store state on client
    • npm module cookie-session
    • helps to handle storing info in the client
    • npm module will store info in the express server (in memory) instead of the client. You can leverage NoSql to sync multi node instances.
    • Sessions are useful to save user preferences, auth info, tracking, etc.

    Externalizing Credentials

    • it can be a random string eg.

    domain

    • controls the domain and subdomains for the cookie
    • Cookie must be assigned to the same domain as its server. Otherwise it won’t do nothing.

    path

    • controls the path this cookie applies to

    maxAge

    • expiration time in milliseconds
    • this is simpler than

    secure

    • if true will send cookie only over a secure HTTPS connection

    httpOnly

    • states that this cookie can only be modified by the server
    • this prevents XSS attacks

    signed

    • tampered signed cookies will be rejected by the server and will reset the cookies value.