gluxon gluxon - 4 months ago 49
PHP Question

Importance of session secret key in Express web framework

I'm quite confused by the importance of a session secret. I'm jumping into web development with Express and Node, and at the moment, I'm trying to implement a simple login. The below code is taken from the sessions example in Express.

// Required by session() middleware
// pass the secret for signed cookies
// (required by session())
app.use(express.cookieParser('keyboard cat'));

// Populates req.session
app.use(express.session());


It uses "keyboard cat" as a session secret. Many of the things I've looked around about session secrets recommend me to change this to something custom. I now have 3 specific questions concerning this.


  1. Why have I not seen this before when I was working with PHP?

  2. What is the session secret being used for exactly?

  3. Let's say I change the session key. My code is open source. Won't changing this be a bit redundant in that case? I don't see asking the user for a custom key as an option.

  4. I was thinking of generating a random UUID to fill in the key. Are there problems with this? (in terms of security)


Answer
  1. Because PHP is not Nodejs. Session management in PHP is different from session management in node: node never dies, unlike PHP, which is constantly invoked by your server daemon (apache, IIS, what have you), asked to generate some content, then end its process. Node is the equivalent of Apache plus PHP.
  2. It's used to encrypt the session cookie so that you can be reasonably (but not 100%) sure the cookie isn't a fake one, and the connection should be treated as part of the larger session with express.
  3. This is why you don't put the string in your source code. You make it an environment variable and read it in as process.env("SESSION_SECRET") or you use an .env file with https://npmjs.org/package/habitat, and make sure those files never touch your repository (svn/git exclusion/ignores) so that your secret data stays secret.
  4. the secret is immutable while your node app runs. It's much better to just come up with a long, funny sentence than a UUID, which is generally much shorter than "I didn't think I needed a secret, but the voices in my head told me Express needed one".

How I use sessions:

.env file (always in my .gitignore file so it never hits my public repos):

SECRET="This is my funky secret oh my god it has ninja turtles"

app.js:

var express = require('express'),
    env = (function(){
      var Habitat = require("habitat");
      Habitat.load();
      return new Habitat();
    }()),
    app = express();

app.use(express.compress()); // gzip all the things. If possible.
app.use(express.bodyParser());
app.use(express.cookieParser());
app.use(express.cookieSession({
  key: "mysite.sid",
  // seeing this tells you nothing about the actual secret:
  secret: env.get("SESSION_SECRET"),
  cookie: {
    maxAge: 2678400000 // 31 days
  }
}));
app.use(express.csrf());

That CSRF bit ensures that page requests are coming from your own site, not cURL requests or embeds in other people's websites. http://expressjs.com/api.html#csrf for more info on that.

Comments