I have a very simple node.js application built in express language that handles authentication using session memory storage. Basically, the user logs in:
app.post('/sessions', function(req, res) { // check username/password and if valid set authenticated to true if (authenticated){ req.session.user = req.body.username; } ... });
Then, in each call from the browser, the requireLogin middleware function is called, which checks whether this property of the user is set in the session.
Now I turn to the application, in principle, to simply provide a service that may or may not be used in the browser, so instead of using cookies / sessions, I consider changing the system so that you can send a message to / getToken (instead of / session), which will return a temporary random token associated with the user account, which can then be used for a certain period of time to access the service. Using the service will require that a valid token be included in each call. (I suppose this would be better than passing the username / password each time so that the password does not need to be stored in memory on the client computer after the call to receive the token?)
Will such a system as a whole be as secure as the previous existing system, or is there a more standard / secure way to handle this? What is the standard way to deal with something like this?
Thanks in advance for your help!
source share