{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 \"骚年 ilove 的问题《Safe to store complete user info in session with S》','https://www.manongdao.com/q-898556.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm building a Sails.js app that includes a user login. As the documentation instructs, when a user signs in, the session records her id in the session accordingly:
req.session.userId = createdUser.id;
In most of the examples, each route performs a lookup on this ID, if it's present, and sends the authenticated user to the view if found. This strikes me as very inefficient. EVERY view needs to know if there's a signed-in user in order to display her name in the upper left corner. So, if I understand right, every view includes a trip to the database to look up the user, even if I reduce the amount of code by creating a policy that performs this lookup for every route.
What I would rather do is record the user's information in the session so that, once she is authenticated, that information is automatically present to every view:
req.session.userId = createdUser.id;
createdUser.loggedIn = true;
req.session.user = createdUser;
// the createdUser object does NOT contain the encrypted password or other sensitive info
This then allows me to just check in the template for a signed-in user like so from the layout parent template (and any child template). (I'm using server-side views.)
{% if (session.user && session.user.loggedIn) %}
<li><a href="/profile/{{ session.user.id }}">Hi there, {{ session.user.username }}</a></li>
{% else %}
<li><a href="/signin">Sign In (if you want)</a></li>
{% endif %}
My question is whether this poses a security risk of any kind. It seems MUCH more efficient than looking up the User in every view, but perhaps there's a reason that documentation seems to advise this?
FYI, ideally this should be handled by a policy.
Either you make extra roundtrips to the database or you bloat your sessions. Both have their pros and cons. E.g. when creating a backend application that does not have to scale, I do not care about this extra database lookups. However when I have hundred thousands of users I should care. You have to consider this when you architect your application. Applications that need to scale like to use e.g. redis as a session store for optimization.
So to answer your question, yes it is okay to store username etc. in the session object to avoid extra database lookups. I am not a security expert, but I would not suggest to store any sensitive user information in the session like passwords.
BTW I highly recommend using http://passportjs.org/. It integrates with sails very well.
To get you started:
In this example you can see how username, email and the roles of the user are stored in the session object: