0

I am trying to create an application that can post data both through ajax and through traditional form requests. I am surprised by the lack of information I am finding online about the topic. I guess these days we all assume we have access to client side JS?

I went with express-session, but am getting frustrated at how hard it is to determine what's actually happening. From what I can understand it's cacheing cookie data on the client and somehow including those in requests automatically? Then is it safe to assume that this format will NOT work without client-side javascript support?

Given a form like this: 

<form method="post" action="/create">
    <input name="value1" onChange={this.handleInput} value={this.state.value1} />
    <button onClick={this.submitForm}
</form>

My requests sent via ajax will pass auth (due to having session data): 

event.preventDefault();
    postUrl(`/create`, {value1: this.state.value1})
    .then(jsonRes => {
       // works
});

being picked up by auth middleware which uses express session and passport:

module.exports.secured = (loginUrl = "/employers") => {
    return (req, res, next) => {
        if ( (req.isAuthenticated()) ) { return next(); }
        req.session.returnTo = req.originalUrl;
        res.redirect(loginUrl);
        return next();
    };
};

which protect a pretty simple api route for creating: 

router.post('/create', secured(), (req, res) => {

My thinking is that even if JS is enabled, I could handle the request at this route, but the problem is with authenticating.

What can I do to get my session data sent over in these 'non-js' requests?

I remember in traditional webstacks like Rails or PHP some sort of token is rendered into the form in a hidden field or in the action on render. If this would work, does anyone know how to get the 'vital data' so to speak out of the express session to send as the token? Not possible?

Looking in req.cookies or req.session of the req object that gets parsed in the serverside render, I do not see anything that would be useful for this.

Improve this question
2
  • 1
    I don't understand, are you trying to write an application without JavaScript, why are you using React? Look at the network requests in your developer tools, a cookie should always be being sent with every request to your server automatically. When you authenticate on the server through a request, the server sends back a response with a Set-Cookie header and that cookie will be attached to every request sent afterwards so that the server knows who you are. Could you please explain your question in more detail? Commented Jan 31, 2019 at 2:55
  • I didn't realize cookies were actually saved at the HTTP level regardless of javascript. That pretty much answers it; sorry for confusing question. Commented Jan 31, 2019 at 3:00

1 Answer 1

Reset to default
1

What can I do to get my session data sent over in these 'non-js' requests?

Ussually the response to your login would send a Set-Cookie header to indicate to the client that it should store said cookie, implying it would be used to identify himself

Who stores cookies? its not javascript but the browser, so if you used curl or a scraper , your clients would have to fetch the cookie returned and include it in subsequent requests

What you mention about a token in the form is not for authentication but for cross site request forgery, meaning that since you served a token (and stored it somehow server side) you would only accept a login request including said token (proving someone navigated to your site's login page) so as to prevent other websites or clients who didnt went to your login to attempt POSTing (ie: a scraper )

Also, sessions dont necessarily mean authentication, modern frameworks tend to issue a session regardless if authenticated

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yeah, it looks like the cookie actually does get set in the request, even with JS disabled. Oops..

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.