node.js - expressjs req and res object parameter about safe -

i use express write app, want implement variables current_user in global, ensure whether user logined.so, add middleware

app.use(require('./controller/user').auth_user); 

in user.js, define method called auth_user use res.locals set global local current_user. , set req.session.user=user.

exports.auth_user = function(req, res, next) {   if (req.session.user) {     res.locals('current_user', req.session.user);     return next();   } else {   var cookie = req.cookies['user_cookie'];   if (!cookie){     res.locals('current_user', "");     return next();   };   var auth_token = decrypt(cookie, 'user_session');   var auth = auth_token.split('\t');   var user_email=auth[3].tolowercase();   user.findone({'email': user_email},function(err, result) {     if(err) return next(err);     if (result) {       req.session.user = result;       res.locals('current_user', req.session.user);       return next();     }else{       return next();     }   });   } }; 

so, put user object req, , when debug, found can user.hashed_password req.i think it's not safe. can user in browser side info?

as long not expose information anywhere else, safe. @ least perspective browser not able access req object.

anyway, question whether it's best idea attach complete user object req object if need specific part of it. why not attach stripped down version of object not include hash?

then issue gone anyway, no matter whether browser hypothetically able access or not.