Storing secret data inside session
I have backend app in which I am using passport.js like this:
passport.use(new LocalStrategy({
usernameField: 'login',
passwordField: 'passwd'
},function(username, password, done){
// call to external api to check if login & passwd are correct
var user = { user: username, passwd: password };
return done(null,user);
}));
passport.serializeUser(function(user, done) {
done(null,user);
});
passport.deserializeUser(function(id, done) {
done(null,id);
});
The problem is that I use username and password fields for basicAuth to
communicate with main REST API. So I have to keep both fields (username
and password) inside session (u can see this in my localstrategy callback)
to use them for basicAuth for external server. How I can make it safe? I
guess that storing it inside session is not a good idea because session is
saved in cookie right? How I can store session data on server and just
session/user id on server?
No comments:
Post a Comment