I have a Node.js API on api.com that authenticates users based on Sessions. How can I save session from api in api.com to client.com?
For example; I'm going to send a request from client.com to api.com and add a session cookie to client.com from the api on api.com.
My session settings;
app.use(session({
secret: process.env.SECRET,
resave: false,
saveUninitialized: false,
store
}))
Related
i'm working on micro services with express js with express-session set up like this:
server.use(session({
name: 'apps',
resave: false,
saveUninitialized: false,
secret: 'secretToken',
cookie: {
sameSite: false,
secure: false, // true
httpOnly: false, // false
}
}));
i apply the same setup with all services.
but then it's only work with just only one services. other services can't share the same data from other service, i'm putting access token in the req.session to let other apps having the same access token.
Is there a way for me to let different service using the same session?
The default server-side session storage is MemoryStore. Which means each service store the session data on their own process. Memory cannot be shared between different processes.
In order for microservices to share session data, we need separate storage, such as connect-redis, connect-mongo.
All microservices connect the redis or database server and use them as session data storage when initializing express-session middleware.
Workflow:
Client send HTTP request(with session id stored in a cookie) => Service A or Service B or Service C => express-session get the session data from redis or database by session-id => do your things.
Basically, I have a sign-in form, running on AUTH.domain.com and I create a session (saved in cookie) for the logged users. Then I redirect the user to APP.domain.com, and I need his session to be passed also to this subdomain, but we can't figure, how to do that.
Authorization works with passport.js, and session set from passport.js
I tried set domain option on cookies middleware and set res.sessionOption.domain = '.domain.com'. But this does work.
app.use(cookiesession({
secret: 'secretstring',
saveUninitialized: false,
resave: true,
domain: '.domain.com'
}));
app.use(passport.initialize());
app.use(passport.session());
req.sessionOptions.domain = '.domain.com';
Try setting the domain to domain.com (note the omission of the preceding .)!
I am using passport.js local strategy for login but not being able to set session. I have two servers i.e. localhost:3000 is for node and another is localhost:4200. Here I want to set session on request from localhost:4200.
How your session is configured ??
Here's an example of how you can do it.
app.use(session({
secret: 'some secret that must not be explicit in code',
saveUninitialized: true,
resave: true,
store: new MongoStore({
mongooseConnection: mongoose.connection
})
}))
I am using the express-session module, it works perfectly on localhost but on my website (hosted on Heroku using Cloudflare), the express session is being blocked as being a third party cookie. Here is the configuration for my session:
app.use(session({
resave: false,
saveUninitialized: false,
proxy : true,
cookie: {
maxAge: 3600000000000,
httpOnly: false,
secure: false,
domain: '.mydomain.com',
path: '/'
},
store: sessionStore,
secret: 'mysecret',
unset: 'destroy'
}));
Is this an issue with Express or maybe Cloudflare/Heroku?
#Why the cookie is blocked
From whatis.techtarget.com:
A third-party cookie is one that is placed on a user’s hard disk by a
Web site from a domain other than the one a user is visiting.
As you mentioned in your comment, your client and your server are on different domains:
www.castcrunch.com is my client side server's URL and cast-crunch-server.herokuapp.com is my backend server URL
You can read more about cookie domains in the RFC 6265:
The Domain attribute specifies those hosts to which the cookie will be sent.
#What you could do about that
As mentioned in this dzone article, you could use Json Web Tokens to do the authentication. Your server would send the token in the login response body, the client would store it and send it to the server in every subsequent request header.
The drawback with this approach, since you are storing the token, is that you would become vulnerable to XSS attacks. You have to pay special attention to that: sanitise all inputs, or better yet, use frameworks and languages that already to that.
Note: Of course, you could also uncheck the "block 3rd party cookies" option in the browser settings, but this does not seem like a long term solution :).
I'm using express-session for my app. Cookies are set and users are authorised when deployed on Heroku which by default serves the app on a secure connection. When working locally on localhost with a non https connection the session is not initialised thus causing me to get a 401 back everytime. I cannot find any answers for this. My code is as follows:
app.use(session({
name: consts.SESSION_COOKIE_NAME,
secret: consts.SECRET_KEY,
saveUninitialized: false,
resave: true,
cookie:{
httpOnly: true,
secure: false
}
}));