Yuli Stremovsky, Privacybunker founder

I hope you enjoy reading this article.

If you want the Databunker team to help you with PII/PHI data protection and privacy, click here.

Implement Secure Session Storage for Web Apps to Outsmart Attackers

Ad
privacybunker.io/website-gdpr-audit

GDPR and Cookie Popup Audit - Scan Your Website NOW!

Companies already paid €2,720,000,000 in GDPR fines. Per our research, 80% of the sites have broken privacy controls.

As web developers, ensuring the security of data in session storage is crucial. A session object contains critical information, such as user email addresses, permissions, and error messages. Protecting this data is especially crucial when dealing with personal information like Personal Identifiable Information (PII) / Personal Health Information (PHI).

In today’s digital landscape, the European Union’s emphasis on online privacy and data protection through the General Data Protection Regulation (GDPR) affects businesses worldwide. If your company serves European customers, GDPR compliance is non-negotiable, irrespective of your location.

This article delves deep into the world of GDPR and its implications for the storage of user-session information. We’ll explore the key considerations that developers must bear in mind to ensure secure session storage while meeting GDPR requirements.

To achieve this goal, we introduce Databunker—an open-source Swiss army knife tool designed to securely store personal records, PII, and PHI. We will explore how Databunker can seamlessly align with GDPR guidelines, ensuring your web application’s session storage remains both efficient and compliant.

What is a session?

A session can be defined as a server-side storage of information that is desired to persist throughout the user’s interaction with the web site or web application.

GDPR principle of Integrity and confidentiality.

GDPR stands on a number of principles. Integrity and confidentiality are some of them. These principles tell that appropriate security measures should be in place to protect the personal data.

So, do we need to encrypt personal data?

Although there are no explicit GDPR encryption requirements, the regulation does require you to enforce security measures and safeguards. The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security.

The GDPR requires companies to put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights. This is “data protection by design and by default”.

In this article I will cover smarter methods to make your session code to be privacy-compliant.

Introduction to Databunker

But first, let me give you a bit more information about what Databunker is and how it works since we’ll be discussing it in some of these methods below.

Databunker solution

Databunker is a GDPR compliant user store service for Web and mobile apps. It is a special application server. This product is a combination of several software concepts merged together. It provides secure PII storage and privacy by design out of the box:

  1. A Personal Identifiable Information (PII) storage and vault
  2. Secure session storage for web applications
  3. Privacy portal for customers
  4. Application backend server
  5. DPO management tool
  6. Tokenization service
  7. Secret sauce

Project website: https://databunker.org/

Databunker API

Databunker provides an easy to use API for secure session storage. In the backend Databunker encrypts session data and stores it in the regular SQL database (SQLite, MySQL, PostgreSQL). Follow Databunker API for additional information:

https://documenter.getpostman.com/view/11310294/Szmcbz32

Databunker support for Node.js

Databunker comes with excellent Node.js support. You basically add few dependencies to your project and you are set. Our library does all the magic.

You can use @databunker/session-store module to automatically use secure storage provided by Databunker.

Here is a working example:

const { v4: uuidv4 } = require('uuid');
const app = require('express')();
const session = require('express-session');
const DataBunkerSessionStore = require('@databunker/session-store')(session);

const DataBunkerConf = {
  url: 'http://localhost:3000/',
  token: 'DEMO'
};

const s = session({
  genid: function(req) {
    return uuidv4();
  },
  secret: 'JustASecret',
  resave: false,
  saveUninitialized: true,
  store: new DataBunkerSessionStore(DataBunkerConf)
});

app.use(s);

const port = 3200
const host = '0.0.0.0'

app.get('/', (req, res) => {
  sess=req.session;
  if (!sess.count) {
    sess.count = 1;
  } else {
    sess.count ++;
  }
  res.send('Counter: '+sess.count.toString());
  res.end();
})

app.listen(port, host, () => {
  console.log(`Example app listening at http://${host}:${port}`)
})

Additional examples

  1. Node.js example implementing passwordless login using Databunker: https://github.com/securitybunker/databunker-nodejs-passwordless-login

  2. Node.js example with Passport.js, Magic.Link and Databunker: https://github.com/securitybunker/databunker-nodejs-example

Summary

With a few lines of code, you can make your session code to be privacy and security by design compliant. It is not complicated.

PII Data Protection Vaul

- Read the getting started guide.

- Check out the source code.

Meet Yuli Stremovsky

👋 Hello! I am Yuli. I’m on a journey to change the world!

Proudly serving as the founder of Databunker, an open-source data security project that has already earned an impressive 1,000 stars on GitHub.

I'm excited to connect with exceptional software architects and visionary CTOs who are shaping the future of software innovation.

Together, let’s shape a more private and secure digital future!

Protect User Records with Managed Databunker!

Claim Your $1,000 Coupon Today for Ultimate Data Protection