Implement Secure Session Storage for Web Apps to Outsmart Attackers

As web developers, ensuring the security of data in session storage is crucial. A session object contains critical information, such as user email addresses, permissions, and error messages. Protecting this data is especially crucial when dealing with personal information like Personal Identifiable Information (PII) / Personal Health Information (PHI).

In today’s digital landscape, the European Union’s emphasis on online privacy and data protection through the General Data Protection Regulation (GDPR) affects businesses worldwide. If your company serves European customers, GDPR compliance is non-negotiable, irrespective of your location.

This article delves deep into the world of GDPR and its implications for the storage of user-session information. We’ll explore the key considerations that developers must bear in mind to ensure secure session storage while meeting GDPR requirements.

To achieve this goal, we introduce Databunker—an open-source Swiss army knife tool designed to securely store personal records, PII, and PHI. We will explore how Databunker can seamlessly align with GDPR guidelines, ensuring your web application’s session storage remains both efficient and compliant.

What is a session?

A session can be defined as a server-side storage of information that is desired to persist throughout the user’s interaction with the web site or web application.

GDPR principle of Integrity and confidentiality.

GDPR stands on a number of principles. Integrity and confidentiality are some of them. These principles tell that appropriate security measures should be in place to protect the personal data.

So, do we need to encrypt personal data?

Although there are no explicit GDPR encryption requirements, the regulation does require you to enforce security measures and safeguards. The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security.

The GDPR requires companies to put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights. This is “data protection by design and by default”.

In this article I will cover smarter methods to make your session code to be privacy-compliant.

Introduction to Databunker

But first, let me give you a bit more information about what Databunker is and how it works since we’ll be discussing it in some of these methods below.

Databunker solution

Databunker is a GDPR compliant user store service for Web and mobile apps. It is a special application server. This product is a combination of several software concepts merged together. It provides secure PII storage and privacy by design out of the box:

  1. A Personal Identifiable Information (PII) storage and vault
  2. Secure session storage for web applications
  3. Privacy portal for customers
  4. Application backend server
  5. DPO management tool
  6. Tokenization service
  7. Secret sauce

Project website: https://databunker.org/

Databunker API

Databunker provides an easy to use API for secure session storage. In the backend Databunker encrypts session data and stores it in the regular SQL database (SQLite, MySQL, PostgreSQL). Follow Databunker API for additional information:

https://documenter.getpostman.com/view/11310294/Szmcbz32

Databunker support for Node.js

Databunker comes with excellent Node.js support. You basically add few dependencies to your project and you are set. Our library does all the magic.

You can use @databunker/session-store module to automatically use secure storage provided by Databunker.

Here is a working example:

const { v4: uuidv4 } = require('uuid');
const app = require('express')();
const session = require('express-session');
const DataBunkerSessionStore = require('@databunker/session-store')(session);

const DataBunkerConf = {
  url: 'http://localhost:3000/',
  token: 'DEMO'
};

const s = session({
  genid: function(req) {
    return uuidv4();
  },
  secret: 'JustASecret',
  resave: false,
  saveUninitialized: true,
  store: new DataBunkerSessionStore(DataBunkerConf)
});

app.use(s);

const port = 3200
const host = '0.0.0.0'

app.get('/', (req, res) => {
  sess=req.session;
  if (!sess.count) {
    sess.count = 1;
  } else {
    sess.count ++;
  }
  res.send('Counter: '+sess.count.toString());
  res.end();
})

app.listen(port, host, () => {
  console.log(`Example app listening at http://${host}:${port}`)
})

Additional examples

  1. Node.js example implementing passwordless login using Databunker: https://github.com/securitybunker/databunker-nodejs-passwordless-login

  2. Node.js example with Passport.js, Magic.Link and Databunker: https://github.com/securitybunker/databunker-nodejs-example

Summary

With a few lines of code, you can make your session code to be privacy and security by design compliant. It is not complicated.

Databunker:

PII Data Protection Vaul

- Check out the getting started guide

- View the source code

Meet Yuli Stremovsky

👋 Hello! I am Yuli, the founder of the Databunker project. I'm on a mission to assist startup founders in securing customer data!

I'm excited to connect with exceptional software architects, visionary CTOs, and innovative product leaders who are shaping the future of software industry.

Together, let’s shape a more private and secure digital future!

You can always reach me at yuli@privacybunker.io.

Book a call with me

Protect User Records with Managed Databunker!

Claim Your $1,000 Coupon Today for Ultimate Data Protection