Should every user have a different session key?

[thibpun]

Hello,

I've set up remix-auth, similarly as in the readme.

const authenticator=new Authenticator<UserSession>(sessionStorage,{
    sessionKey:"What should this value be?",
});

const formStrategy=new FormStrategy(async({form})=>{
    const email=form.get('email') as string;
    const passwordAttempt=form.get('password') as string;

    const res =await pool.query<User>(
        "SELECT id,username, password FROM users WHERE email=$1;",[email]
        );
    const user=res.rows[0];
    if(user==undefined) throw new AuthorizationError("Bad Credentials");
    const [salt,key]=user.password.split(':')

    const hashedBuffer=crypto.scryptSync(passwordAttempt,salt,64);
    const keyBuffer=Buffer.from(key,'hex');
    const match=crypto.timingSafeEqual(hashedBuffer,keyBuffer);

    if(match){
        const sessionId=uuidv4();
        const userSession:UserSession={
            username:user.username,
            id: sessionId,
        }
        return userSession;
    }
    else throw new AuthorizationError("Bad Credentials")
})

authenticator.use(formStrategy, "form")

export default authenticator;

It works, users can register/log in and their session persists. But I'm having problems grasping what the session key property is for. I store the username and sessionID in the session storage, if I try to store the sessionID in the session key property then it's the same for every user because the authenticator is instantiated only when the server starts.

I guess doing something wrong but I have no idea what, some help would be appreciated.

Thanks.

[sergiodxa]

The session storage is an object, the data you return is stored in a key of that object, that key is the session key, by default the session key is user.