While being Node’s most popular session management library, express-session has its set of flaws and weaknesses – especially when it comes to security. This article will analyze the good and bad parts of express-session so that you can make an informed decision for your next app. We will be using a point system where one point will be awarded for performing well on a metric, and one will be deducted for bad performance. At the minimum, we want a positive number at the end of the analysis (and the higher the number is, the better). Here are the metrics we will be using:
- Security: This is especially relevant because we’re talking about user session management.
- Reliability and Correctness: It is imperative that the library takes care of technical issues like keeping its state consistent despite network or server failures and taking care of synchronizing its logic in a clustered environment.
- App User experience: We want to use a library that can provide the right experience for your app users – for example, does the library enable a user to be logged in for weeks or months whilst also providing good security?
- Time to production: We will look at factors such as time to integrate the library into an app, available support, and ease of understanding of the library code.
- Maintenance cost: We will assess the costs of maintaining the library over time.
Security
SecurityFor a background on why session security is important, read this blog post (Facebook, Docker, Gitlab have all had session vulnerabilities in the past 2 years). Session attacks can occur across 3 attack vectors; the frontend, in transit (over the internet), or on the backend.
While being Node’s most popular session management library, express-session has its set of flaws and weaknesses – especially when it comes to security. This article will analyze the good and bad parts of express-session so that you can make an informed decision for your next app. We will be using a point system where one point will be awarded for performing well on a metric, and one will be deducted for bad performance. At the minimum, we want a positive number at the end of the analysis (and the higher the number is, the better). Here are the metrics we will be using:
Security: This is especially relevant because we’re talking about user session management.
Reliability and Correctness: It is imperative that the library takes care of technical issues like keeping its state consistent despite network or server failures and taking care of synchronizing its logic in a clustered environment.
App User experience: We want to use a library that can provide the right experience for your app users – for example, does the library enable a user to be logged in for weeks or months whilst also providing good security?
Time to production: We will look at factors such as time to integrate the library into an app, available support, and ease of understanding of the library code.
Maintenance cost: We will assess the costs of maintaining the library over time.
Security
For a background on why session security is important, read this blog post (Facebook, Docker, Gitlab have all had session vulnerabilities in the past 2 years). Session attacks can occur across 3 attack vectors; the frontend, in transit (over the internet), or on the backend. […]