Node.js >= v18.0
- Add a "session" attribute to the appusers table.
- When the user logs in, store the session ID in the "session" attribute of the user's record. Please do not make any other changes to the database.
- When the user navigates to the site, the back-end (1) checks if the user is logged in and has an active session; and (2) if so, the back-end looks up the user record based on the session ID and shows a simple welcome page showing the user's name and the contents of the "info" column. Otherwise, the user is directed to a login/create account page.
- When the user logs out, the session ID is deleted from the user's record (or is replaced with some place holder value such as "not logged in".
- Add an option to allow users to register (i.e., add their user name and password) Use the node.js's bcrypt package to securely store and verify passwords (in the SQL dabatabse).
- Use node.js's password strength checker package to check whether the user's password is strong according to OWASP 10 requirements covered in class.
- Add a self-signed HTTPs certificate.
- Configure the client-sessions package to have the session expire after 10 mins inactivity (which the program already uses).
- Add CSP protection and make session cookies HTTPOnly to ensure some protection against XSS.
- Make sure that the webapp has a privilege-restricted database account.
- Create a MySQL database
userswith hostname:localhost - Create
appuserstable with following schemas:username,password,info,session - Create user
appaccountwith passwordapppass - Run query
GRANT SELECT, INSERT, UPDATE ON users.appusers TO 'appaccount'@'localhost';to grantSELECT, INSERT, UPDATEprivileges toappaccount. - Navigate to the main directory of
web_security_practiceand runnpm installto install dependencies - Run
node sessions.jsand then open browser enter addresshttps://localhost:3000/
- Khang Ta
- Ethan Bartlett
- Edmond Tongyou
- Sebastian Reyes
- Miranda Smith