You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As we know the Session object is exposed to the client. Should we do server check against the info in Session?
// server psuedo code
if (session.id === someEntry.createdById) {
// do sth..
}
Or simply put is it possible for a hacker to, let's say, change the user.id in session?
I'm using database session strategy. But I guess the same question applies to jwt strategy ( I vaguely remember that there's some secret to encrypt jwt but just to confirm here)
declare module "next-auth" {
/**
* Returned by `useSession`, `getSession` and received as a prop on the `SessionProvider` React Context
*/
interface Session extends DefaultSession {
user: DefaultSession["user"] & {
id: string;
// ...other properties
// role: UserRole;
};
}
}
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
As we know the Session object is exposed to the client. Should we do server check against the info in Session?
Or simply put is it possible for a hacker to, let's say, change the user.id in session?
I'm using database session strategy. But I guess the same question applies to jwt strategy ( I vaguely remember that there's some secret to encrypt jwt but just to confirm here)
https://next-auth.js.org/getting-started/typescript#module-augmentation
Beta Was this translation helpful? Give feedback.
All reactions