Databunker is a lighting-fast, open-source service developed in Go for secure storage of sensitive personal records. Protect user records from SQL and GraphQL injections with a simple API. Streamline your GDPR, HIPAA, ISO 27001, and SOC2 compliance.
As web developers, ensuring the security of data in session storage is crucial. A session object contains critical information, such as user email addresses, permissions, and error messages. Protecting this data is especially crucial when dealing with personal information like Personal Identifiable Information (PII) / Personal Health Information (PHI).
In today’s digital landscape, the European Union’s emphasis on online privacy and data protection through the General Data Protection Regulation (GDPR) affects businesses worldwide. If your company serves European customers, GDPR compliance is non-negotiable, irrespective of your location.
This article delves deep into the world of GDPR and its implications for the storage of user-session information. We’ll explore the key considerations that developers must bear in mind to ensure secure session storage while meeting GDPR requirements.
To achieve this goal, we introduce Databunker—an open-source Swiss army knife tool designed to securely store personal records, PII, and PHI. We will explore how Databunker can seamlessly align with GDPR guidelines, ensuring your web application’s session storage remains both efficient and compliant.
A session can be defined as a server-side storage of information that is desired to persist throughout the user’s interaction with the web site or web application.
GDPR stands on a number of principles. Integrity and confidentiality are some of them. These principles tell that appropriate security measures should be in place to protect the personal data.
Although there are no explicit GDPR encryption requirements, the regulation does require you to enforce security measures and safeguards. The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security.
The GDPR requires companies to put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights. This is “data protection by design and by default”.
In this article I will cover smarter methods to make your session code to be privacy-compliant.
But first, let me give you a bit more information about what Databunker is and how it works since we’ll be discussing it in some of these methods below.
Databunker is a GDPR compliant user store service for Web and mobile apps. It is a special application server. This product is a combination of several software concepts merged together. It provides secure PII storage and privacy by design out of the box:
Project website: https://databunker.org/
Databunker provides an easy to use API for secure session storage. In the backend Databunker encrypts session data and stores it in the regular SQL database (SQLite, MySQL, PostgreSQL). Follow Databunker API for additional information:
https://documenter.getpostman.com/view/11310294/Szmcbz32
Databunker comes with excellent Node.js support. You basically add few dependencies to your project and you are set. Our library does all the magic.
You can use @databunker/session-store
module to automatically use secure storage provided by Databunker.
Here is a working example:
const { v4: uuidv4 } = require('uuid');
const app = require('express')();
const session = require('express-session');
const DataBunkerSessionStore = require('@databunker/session-store')(session);
const DataBunkerConf = {
url: 'http://localhost:3000/',
token: 'DEMO'
};
const s = session({
genid: function(req) {
return uuidv4();
},
secret: 'JustASecret',
resave: false,
saveUninitialized: true,
store: new DataBunkerSessionStore(DataBunkerConf)
});
app.use(s);
const port = 3200
const host = '0.0.0.0'
app.get('/', (req, res) => {
sess=req.session;
if (!sess.count) {
sess.count = 1;
} else {
sess.count ++;
}
res.send('Counter: '+sess.count.toString());
res.end();
})
app.listen(port, host, () => {
console.log(`Example app listening at http://${host}:${port}`)
})
Node.js example implementing passwordless login using Databunker: https://github.com/securitybunker/databunker-nodejs-passwordless-login
Node.js example with Passport.js, Magic.Link and Databunker: https://github.com/securitybunker/databunker-nodejs-example
With a few lines of code, you can make your session code to be privacy and security by design compliant. It is not complicated.
Databunker Pro is available with a free 14-day trial. You can try the cloud version, deploy it using Helm Chart or Docker Compose, and access everything completely free for the first 14 days. No credit card is required.