Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Going session-less with NodeJS

I've been doing a lot of research lately and it appears to me that going stateless serverside brings benefits to both performance & scalability.

I am although trying to figure out how to achieve session-less-ness on Node.JS. It seems to me that basically all I have to do is assign a token to a logged in user, so I would have something like this in my DB:

{ user:'[email protected]', pass:'123456', token:'long_id_here' }

so that the token can be send with every HTTP request like this:

/set/:key/:val/:token

to be checked against aforementioned DB object. Is this what it is actually meant to be a session-less web service?

If this is the right way, then I do not understand things like token expiry, and other security issues. I would like to be pointed out to NPM package of some sort?


On a side note, is it best for a token, to use a hash of the user+password, or to assign a different one at every login?

like image 805
john smith Avatar asked Oct 20 '25 15:10

john smith


1 Answers

The reason to go sessionless is that most default session implementations use an in-memory store. That means that the session information is stored in memory local to that instance. Most websites these days are scaling out as traffic increases. This means they add more servers and balance the load between the servers. The problem with in-memory session stores is your user can log into Server 1, but if their next request is routed to Server 2, they don't have a session created yet and will appear to be logged off.

You don't necessarily need to go sessionless to scale out with node or any other server side language. You just need to use a session that isn't in local memory that would be accessible to all nodes. If you're using something like Express or Connect, you can easily use a session implementation like connect-redis which will enable you to have a fast session store which is accessible to all of your node instances so it doesn't matter which one is hit.

like image 189
Timothy Strimple Avatar answered Oct 23 '25 07:10

Timothy Strimple