Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialVictor Novikov
6,322 Points"User id is never send to the client browser" -- but what do the send in a cookie then?
Dave in the lecture around 6:10 says
Session data is sensitive and only stored on the server. User_id is never send to the client browser.
Bur aren't we sending user_id to the browser from the server in a cookie? what is the conceptual difference here that I am not getting?
2 Answers
Neil McPartlin
14,662 PointsAt around 6:02 on the video, Dave is actually talking about userId when stating that this is only held on the server. You are correct however in saying that user._id gets returned in a session cookie. If you look at row 19 of index.js you see both parameters mentioned.
So userId is the unique identifier for each user in the Mongo DB whereas user._id to quote Dave is...
And user is our document, it represents all the information for a single logged in user, and finally the underscore ID is that unique ID that mongod gave the document when it was inserted into the database.
Vitaly Khe
7,160 PointsAs i understand 'express-session' manages the sessions by some given parameter. In our case it's easier for us to give a _id as a parameter to session instance as well as request something from session by _id. For example we could give other parameter to store a session for this user like: 'some key'. But we should keep a link in memory or somwhere (db, file) that for user 'Maxim' we gave a key to 'some key'; To avoid unnecessary operations we just give a _id of a user as a key to session and then we both know that key.
You will able to see connect.sid cookie given by a 'session' that recieved _id. And it's value of course not equal to _id for security reasons. let's say - This is a 'session' job..