Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

JavaScript User Authentication With Express and Mongo Sessions and Cookies Creating the Profile Route and Page

Posted by Serdar Halac
Serdar Halac
15,259 Points

Would the req.session.userId check be a security flaw if this web app were to be deployed?

The code:

router.get('/profile', function(req, res, next) {
  if (! req.session.userId) {
    var err = new Error("You are not authorized to view this page.");
    err.status = 403;
    return next(err);
  }
  User.findById(req.session.userId)
    .exec(function (error, user) {
      if (error) {
        return next(error);
      } else {
        return res.render('profile', { title: 'Profile', name: user.name, favorite:
      user.favoriteBook });
      }
    });
});

Would it be possible for someone using a script they wrote to simply create a get request and to set a session.userId variable to it (and set it to anything), thus passing the if statement? Now obviously they would get an error since they would have to also get the correct ID, but as far as the request check goes, would a company with robots security use a different check?

So if someone did this:

$.ajax({
  url: "website.com/profile",
  type: "get", //send it through get method
  data: { 
    session.userId: 'whatever'
  },
  success: function(response) {
    //Do Something
  },
  error: function(xhr) {
    //Do Something to handle error
  }
});