Passport-local: Parameters of session:false not work

Created on 13 Feb 2017  路  3Comments  路  Source: jaredhanson/passport-local

I tried this example code passport-local-example and applied parameters to local strategy.

//express-4.x-local-example/server.js
passport.use(new LocalStrategy({
  usernameField: 'email',
  passwordField: 'passwd',
  passReqToCallback: true,
  session: false
}, function(req, username, password, done) {
  // request object is now first argument
  // ...
  }));

However, it seems that session is still in use. I could get user's password from req.session.user.

Only username , password, callback are set in this lib.

//passport-local/lib/strategy.js
function Strategy(options, verify) {
  if (typeof options == 'function') {
    verify = options;
    options = {};
  }
  if (!verify) { throw new TypeError('LocalStrategy requires a verify callback'); }

  this._usernameField = options.usernameField || 'username';
  this._passwordField = options.passwordField || 'password';

  passport.Strategy.call(this);
  this.name = 'local';
  this._verify = verify;
  this._passReqToCallback = options.passReqToCallback;
}

I don't have experience in security. Is it correct that I could get user's password in req.user.password?
Will this be unsafe?

picture jcyh0120
👍2

Most helpful comment

Bit of a late answer but as reference for everyone else:

The sessions option described int he readme appears to be wrong (see PR to fix this).

It needs to be added to the passport.authenticate middleware initialization instead (source):

app.post('/login', passport.authenticate(['local'], {
    session: true
    /** other options **/
  }), (req, res) => {
    /** your handler */
  })
picture micmro on 8 Jun 2017
👍2

All 3 comments

I also realized that sessions are always in use, even when set to false in the strategy options. This is an issue, right ?

barroudjo picture barroudjo on 22 Feb 2017
👍2

Bit of a late answer but as reference for everyone else:

The sessions option described int he readme appears to be wrong (see PR to fix this).

It needs to be added to the passport.authenticate middleware initialization instead (source):

app.post('/login', passport.authenticate(['local'], {
    session: true
    /** other options **/
  }), (req, res) => {
    /** your handler */
  })
micmro picture micmro on 8 Jun 2017
👍2

Same here https://github.com/jaredhanson/passport-local/issues/155

session: false has to be in

passport.authenticate('local', {session:false})
wzup picture wzup on 29 Jun 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

coder90 picture coder90  路  5Comments
abh picture abh  路  7Comments
JonathanSum picture JonathanSum  路  11Comments
ghost picture ghost  路  3Comments
meepeek picture meepeek  路  4Comments