Session: Use Session without cookies

Created on 16 Mar 2018  路  6Comments  路  Source: expressjs/session

Is there any way to use this source or parts of it to create session without cookies? Or does anyone know a better fitting project?

I have a REST-api which is called by various services. The user-id, which I use as a session id, is in the payload of this requests. The incoming format of the JSON payload, and also the position of the user id, is different depending on the client, which sends the request.

I wanna use this user/session id to create a session, keep it alive and delete it after a certain time (clean up). The data could be kept in-memory or in a database.

Many thanks for an advice.

Most helpful comment

This would be really useful for chatbots.

All 6 comments

I have a PR open for something like this (https://github.com/expressjs/session/pull/170). Unfortunately, as it stands now the answer to your question is no. Even with that PR it wouldn't support your use case.

One other note: Using predictable session id's is an insecure practice and should be avoided. So try not to use user id's like you described, but generate uuid's that are only used for auth and session tracking. If you have to build your own solution, you can use how this package generates session id's as a resource.

Other Other note: Instead of passing the session id in the body, it is more common to pass it in a header. If it is also used for authentication, as is common, you can use the Authorization header. Google for "bearer token http auth" or something like that for resources.

Many thanks for that answer and your notes. I hoped there is a trick to use it this library without cookies. If anyone knows an alternative, please let me know.

You could implement a middleware before your session one that will find your client id in the body and then assign it to req.cookie['_sid'] then everything should work as if it was a cookie.

This would be really useful for chatbots.

@sueess Is the solution given by @dotconnor solved your problem or is this still occurring ?

I developed my own session handling. I did not test the solution of @dotconnor, but it sounds feasible.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

aheyer picture aheyer  路  15Comments

renehauck picture renehauck  路  16Comments

neutron92 picture neutron92  路  20Comments

shaunwarman picture shaunwarman  路  17Comments

nhitchins picture nhitchins  路  20Comments