I am looking for some information on best practices when using the passport local strategy. I went though the local strategy example that uses an authToken, for login persistence, found on github. When speaking with a coworker, they posed the question, how is storing this token in a session cookie any more secure than storing a password because its essentially your authenticated identity on the server. So how do i answer this question? Its a green question, i admittedly dont fully understand the entire lifecycle. So how is this a safe solution when integrated with bccrypt and mongo like the example is. And if it was merely an example and not necessarily meant to show a robust solution, what are some best practices to keep our users and our application safe?
https://github.com/jaredhanson/passport-local/tree/master/examples/express3-mongoose-rememberme
Your coworker is not wrong, the implementation is not very secure (in fact it could be argued to be less secure, since the sessionId can be used as is without encryption).
It's more secure only in the fact that it can only be used within 30 days, while the username/password can be used until the user removes it. (It's also more useful because you can take remove the sessionId without changing the password).
However it is not the secure way of implementing Remember me, see The definitive guide to forms based website authentication for information on a good way of implementing rememberMe.
Basically you need to change the github code to do the following:
also, always use https when logging in with username password (at the very least)
edit: I've put an example of what I personally use now in a gist: https://gist.github.com/Illniyar/5432646 Maybe it'll help you get along (though it's a bit jumbled). The tokens work as advertised, but I'm not using passport yet, it shouldn't be too hard to port it to passport though. Note also how the password for the user is kept(secure with a different salt for each user), and how logout is performed.