Session Management
Implement secure session management with proper token handling and storage.
Token-Based Sessions
const jwt = require('jsonwebtoken');
function generateTokens(user) { const accessToken = jwt.sign( { userId: user.id, role: user.role, type: 'access' }, process.env.JWT_SECRET, { expiresIn: '1h' } );
const refreshToken = jwt.sign( { userId: user.id, type: 'refresh' }, process.env.REFRESH_SECRET, { expiresIn: '7d' } );
return { accessToken, refreshToken }; }
Redis Session Storage
const redis = require('redis'); const client = redis.createClient();
class SessionStore {
async create(userId, sessionData) {
const sessionId = crypto.randomUUID();
await client.hSet(sessions:${userId}, sessionId, JSON.stringify({
...sessionData,
createdAt: Date.now()
}));
await client.expire(sessions:${userId}, 86400 * 7);
return sessionId;
}
async invalidateAll(userId) {
await client.del(sessions:${userId});
}
}
Cookie Configuration
app.use(session({ name: 'session', secret: process.env.SESSION_SECRET, cookie: { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'strict', maxAge: 3600000, // 1 hour domain: '.example.com' }, resave: false, saveUninitialized: false }));
Token Refresh Flow
app.post('/auth/refresh', async (req, res) => { const { refreshToken } = req.cookies;
try { const payload = jwt.verify(refreshToken, process.env.REFRESH_SECRET); if (payload.type !== 'refresh') throw new Error('Invalid token type');
const user = await User.findById(payload.userId);
const tokens = generateTokens(user);
res.cookie('accessToken', tokens.accessToken, cookieOptions);
res.json({ success: true });
} catch (err) { res.status(401).json({ error: 'Invalid refresh token' }); } });
Security Requirements
-
Use HTTPS exclusively
-
Set httpOnly and sameSite on cookies
-
Implement proper token expiration
-
Use strong, unique secrets per environment
-
Validate signatures on every request
Never Do
-
Store sensitive data in tokens
-
Transmit tokens via URL parameters
-
Use weak or shared secrets
-
Skip signature validation