Basically, I have a sign-in form, running on AUTH.domain.com and I create a session (saved in cookie) for the logged users. Then I redirect the user to APP.domain.com, and I need his session to be passed also to this subdomain, but we can't figure, how to do that.
Authorization works with passport.js, and session set from passport.js
I tried set domain option on cookies middleware and set res.sessionOption.domain = '.domain.com'. But this does work.
app.use(cookiesession({
secret: 'secretstring',
saveUninitialized: false,
resave: true,
domain: '.domain.com'
}));
app.use(passport.initialize());
app.use(passport.session());
req.sessionOptions.domain = '.domain.com';
Try setting the domain to domain.com (note the omission of the preceding .)!
Related
I have a Node.js API on api.com that authenticates users based on Sessions. How can I save session from api in api.com to client.com?
For example; I'm going to send a request from client.com to api.com and add a session cookie to client.com from the api on api.com.
My session settings;
app.use(session({
secret: process.env.SECRET,
resave: false,
saveUninitialized: false,
store
}))
I'm trying to implement keycloak on my node.js apps.
I'm using keycloak-nodejs-connect on my node.js apps.
If there is no operation on the website for longer than
session idle time, I would like to automatically go to the login page or notify the user that are logged out (When session is expired, pressing F5 will automatically bring up the login page).
Keycloak version : 12.0.0
keycloak-nodejs-connect version : 12.0.4
I just using I wrote the code by referring to the source code below.
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/index.js
How do I redirect the client page to login page or logout page?
Thanks for comments.
Here is the code.
app.js
var memoryStore = new session.MemoryStore();
app.use(session({
secret: 'mySecret',
resave: false,
saveUninitialized: true,
store: memoryStore
}));
var keycloak = new Keycloak({
store: memoryStore
});
app.use(keycloak.middleware({
logout: '/logout',
admin:'/'
}));
index.js(router)
var Keycloak = require('keycloak-connect');
var memoryStore = new session.MemoryStore();
var keycloak = new Keycloak({
store: memoryStore
});
If you are using keycloak-connect, you do not have to worry about redirecting of the user, because this is the reason, why you are using the library, it does it for you.
Regarding the links: if you are running the example, the url http://localhost:3000/logout will redirect to keycloak server and removes the session there. After that, it will redirect back to your application, in this case http://localhost:3000
Any resource of the express app, which needs authentication and/or authorization, like
app.get('/hello', keycloak.protect(), function (req, res) {
res.json({message: `Hello ${req.kauth.grant.id_token.content.preferred_username}`});
});
will automatically redirect to the keycloak server and either show the login form or handle single sign on, whatever is configured for the realm.
So there is no link to the login page, but if there is no valid user session at http://localhost:3000/hello, it will redirect to it, otherwise it will already know, who you are and will print your name.
I am using passport.js local strategy for login but not being able to set session. I have two servers i.e. localhost:3000 is for node and another is localhost:4200. Here I want to set session on request from localhost:4200.
How your session is configured ??
Here's an example of how you can do it.
app.use(session({
secret: 'some secret that must not be explicit in code',
saveUninitialized: true,
resave: true,
store: new MongoStore({
mongooseConnection: mongoose.connection
})
}))
I am using the express-session module, it works perfectly on localhost but on my website (hosted on Heroku using Cloudflare), the express session is being blocked as being a third party cookie. Here is the configuration for my session:
app.use(session({
resave: false,
saveUninitialized: false,
proxy : true,
cookie: {
maxAge: 3600000000000,
httpOnly: false,
secure: false,
domain: '.mydomain.com',
path: '/'
},
store: sessionStore,
secret: 'mysecret',
unset: 'destroy'
}));
Is this an issue with Express or maybe Cloudflare/Heroku?
#Why the cookie is blocked
From whatis.techtarget.com:
A third-party cookie is one that is placed on a user’s hard disk by a
Web site from a domain other than the one a user is visiting.
As you mentioned in your comment, your client and your server are on different domains:
www.castcrunch.com is my client side server's URL and cast-crunch-server.herokuapp.com is my backend server URL
You can read more about cookie domains in the RFC 6265:
The Domain attribute specifies those hosts to which the cookie will be sent.
#What you could do about that
As mentioned in this dzone article, you could use Json Web Tokens to do the authentication. Your server would send the token in the login response body, the client would store it and send it to the server in every subsequent request header.
The drawback with this approach, since you are storing the token, is that you would become vulnerable to XSS attacks. You have to pay special attention to that: sanitise all inputs, or better yet, use frameworks and languages that already to that.
Note: Of course, you could also uncheck the "block 3rd party cookies" option in the browser settings, but this does not seem like a long term solution :).
I'm using express-session for my app. Cookies are set and users are authorised when deployed on Heroku which by default serves the app on a secure connection. When working locally on localhost with a non https connection the session is not initialised thus causing me to get a 401 back everytime. I cannot find any answers for this. My code is as follows:
app.use(session({
name: consts.SESSION_COOKIE_NAME,
secret: consts.SECRET_KEY,
saveUninitialized: false,
resave: true,
cookie:{
httpOnly: true,
secure: false
}
}));