Remove password from user session after login
When a user logs in I create a user object and store it in a session variable. However it is also storing the hashed password in the session but I would rather not do that. Is there a way to just remove the password from the session or would I have to create a seperate session variable for everything I wanted to store in a session? eg:
So instead of req.session.user = user maybe I would have to do:
And so on. I did try this but the password still remains in the session:
User.findOne({email: email})
.then(user => {
if (!user) {
return res.status(422).render('auth/login', {
path: '/login',
pageTitle: 'Login',
errorMessage: 'Invalid login details',
email: email
});
}
bcrypt.compare(password, user.password)
.then(doMatch => {
if (doMatch) {
req.session.isLoggedIn = true;
req.session.user = user
return req.session.save((err) => {
res.redirect('/dashboard');
});
}So instead of req.session.user = user maybe I would have to do:
req.session.user.email = user.email
req.session.user.firstName = user.firstNameAnd so on. I did try this but the password still remains in the session:
req.session.user = { ...user }
delete req.session.user.passwordASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is a step in the right direction as now instead of showing the hashed password in the user object in the database, it just says password: null. But how can I remove the password completely so it doesn't even show up at all in the user object?
Then you could remove the property instead using "delete" like :
delete user.password;ASKER
Tried that but it doesn't seem to work. The password is still showing up in the user object in the database.
delete user.password;
req.session.user = user;
Should work, is there any errors in the log? Make sure the cache is cleared...
Try this one too :
Try this one too :
delete req.session.user['password'];ASKER
Sorry for delayed response. That doesn't work either. I deleted all my sessions in the database, cleared browser cache and it just redirects me back to the login page as the user session is never created.
Ok, I see, Why do you want to remove the property entirely from the object?
ASKER
I am just not comfortable with the password being in there, It is unnecessary. It is hashed but still, I just don't want the password hanging around in there.
Ok I see, I think we deal with a frozen object here :
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/freeze
You could give it null value instead as I shows you in the older comment, else we can't remove the property itself.
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/freeze
You could give it null value instead as I shows you in the older comment, else we can't remove the property itself.
ASKER
Thanks, Guess I will have to go with the null option. David, thanks for the answer but this is Node.js, not sure Wordpress docs will help.
If the person has already logged in, then you'll likely generate some sort of session cookie to prove they're logged in, so no reason to keep a copy of their password around in any form.
Study the WordPress docs + code, for how WordPress handles user management.
You'll likely find the WordPress approach useful to study.