This application now uses secure session-based authentication instead of storing credentials in localStorage.
- Session Management: Uses
cookie-sessionmiddleware for secure session handling - HTTP-Only Cookies: Prevents XSS attacks by making cookies inaccessible to JavaScript
- CSRF Protection: Uses
sameSite: 'strict'cookie setting - Secure Cookies: Automatically enabled in production (HTTPS only)
- Session Expiration: 24-hour session timeout
- Authentication Middleware: Protects API endpoints requiring authentication
- No Credential Storage: No longer stores sensitive tokens in localStorage
- Automatic Session Management: Sessions are handled transparently via cookies
- Credentials in Requests: All API calls include
credentials: 'include'for session cookies
Add these to your .env file:
SESSION_SECRET=your-very-secure-random-string-change-this-in-production
FRONTEND_URL=https://your-frontend-domain.com # For production CORS- Session-Based Authentication: User tokens are stored server-side in encrypted sessions
- HTTP-Only Cookies: Prevents client-side access to session data
- CSRF Protection: SameSite cookie policy prevents cross-site request forgery
- Secure Transport: Cookies are only sent over HTTPS in production
- Session Expiration: Automatic logout after 24 hours of inactivity
- Protected Routes: API endpoints require valid session
POST /api/auth/login- Authenticate with token, creates sessionPOST /api/auth/logout- Destroys sessionGET /api/auth/me- Check current authentication statusPOST /api/data- Protected endpoint requiring authentication
- Set
NODE_ENV=production - Use a strong, random
SESSION_SECRET - Configure
FRONTEND_URLfor proper CORS - Ensure HTTPS is enabled (required for secure cookies)