Passport.js session management without cookie

Question

I'm pretty new to the node world. I have looked around for this for few days, and I can't find the way to do it with existing npm "official" solutions. If there apologies, I'll hopefully get better in finding the right node resources.

I have implemented a working passport local policy following the various examples available on the internet. It works well

I now want to implement session management, specifically I don't want to use cookies and use GET / POST parameters instead. The reason behind it is that I'm building this for an API service that might have to work with custom protocols (other than HTTP) where cookies/headers don't exist.

I have seen all sessions support implementation with passport and they all seems to rely on the express/connect session package, that, in turn, seems to support only cookie and have no way to read/write sessions key in POST / GET parameters.

Before I roll out my own bespoke solution, could you point me to anything already available, if it exists?

Answer 1

So you can do this.

passport.js uses the npm express-session middleware for the actual session infrastructure.

Since express supports pipelined arbitrary middleware I managed to use the following workaround:

1. In your express setup, add a middleware function just before the express session middleware.

2. In the middleware function, check to see if the session token/id exists on the request (as a header or in the body as required) and if so, read the the session token/id from it.

3. Set the session token/id onto request.cookies object (if you're using cookie-parser) and/or append to the serialised cookies in the headers: request.headers.cookie += ...my new cookie goes here...

4. Make sure you name the cookie after the name you pass into express-session

express-session should now be able to pick it up off the request for resuscitation.

Answer 2

it looks like that no, there is no way to do that, and the situation is still the one that can be inferred from this answer: passport.js local strategy- logging in with username, authenticate later requests with token ` by the passport.js creator himself.

I ended up creating my own. For the record the approach I used is to have two passport strategies:

• a local strategy to handle login, and create a jwt token that is sent back to the user.
• a bearer strategy to authenticate follow-up requests, retrieving the token from either GET or POST parameters, and using the user id stored in the token to query the users database. The jwt solution uses node-jwt-simple https://github.com/hokaccha/node-jwt-simple .

It all works, but I have lost the ability to easily fallback to a cookie based session. Hopefully someone more skilled than me might be able to create a solution to do so, taking advantage of the standard express session nmp