I am currently building a rest api with express backed up with a mongo database. At the moment, I have setup a simple authentication process which saves a session object in the mongo database.Thing is I don't send back anything to the client such as a session ID. Still, when i close the browser and open it again, then log req.session, i still get the user id that i previously saved in the session. I was wondering how does express know that it is the same client. If someone could clearify this to me, it would be great.
Here is how i set the session:
app.use(
session({
secret: "This is a secret",
cookie: {
maxAge: 1000 * 60 * 60 * 24 * 7 // 1 week
},
store: store,
resave: true,
saveUninitialized: true
})
);
Related
New sessions are created for every page, I'm setting the token in the server-side session after the login. But it is not available on the next page a new session is created on that page How to avoid this? The database disconnects after the API call on the page. Every time the database connection is made before calling the API. I require the token throughout the login.
src/index.ts
...
const session = require("express-session")
app.use(session({
name : 'Server_ID',
secret : 'something',
resave:false,
saveUninitialized: true,
rolling: false,
cookie: {
same site: true,
// secure: "development",
httpOnly: true,
secure: false,
maxAge:1000 * 60 * 10
}
}));
...
you must set credentials flag with your API call
for example if you're using axios, you do this:
axios.defaults.withCredentials = true;
with this approach cookie is going to sent along with your request call
make sure you have correct CORS settings too.
So I am running a node.js backend with a react frontend, and for some reason with this setup:
app.use(session({
store: new MongoStore({
mongooseConnection: mongoose.connection
}),
secret: process.env.SECRET_KEY,
resave: false,
saveUninitialized: false,
cookie: {
maxAge: 1000 * 60 * 60 * 24 * 7 * 2, // two weeks
secure: false,
httpOnly: false,
}
}));
I save the username using: req.session.username = username; which does save but then whenever I try to check the session on another page the username is gone.
Full source code: https://github.com/CTF-Cafe/CTF_Cafe/tree/master/backEnd
PS: it works in production completely fine, but not locally I tried with httponly false, and secure false. No change.
Any help appriciated
When you serve your frontend from your backend the session will be working because it has the same origin. However, for your local environment, you will be running React app in a different port, and the Express app would be also different. When a port is different it is already considered a different origin and cookies, sessions won't be shared.
You can proxy your frontend via the node app and this way you can have the same origin and your session will remain.
const proxy = require('express-http-proxy');
const app = express();
...
// Add after your routes
app.use(proxy('http://127.0.0.1:3000')); // assuming your Reacts runs on P3000
Check this answer too.
I am using express-session for a login system for users on my Node.js web application. My issue is that every time I make an update and restart the Node.js server, all the users are logged off which is not ideal behaviour (there are multiple users logged on via the local network and I would like to not have to log them back on each time there is a restart).
From my understanding I could use something such as connect-pg-simple (for reference I am using a postgres database with my node web app) to keep users logged in on server restart but I am unsure of how to implement this.
I know it would be something along the lines of:
app.use(session({
store: new (require('connect-pg-simple')(session))({
// Insert connect-pg-simple options here
}),
secret: 'secret',
resave: false,
saveUninitialized: true
}));
But I do not know what options to use or how to save the users session even on server restart.
Yes you are on the right track.
Open your database and create a table named session. See: https://github.com/voxpelli/node-connect-pg-simple/blob/HEAD/table.sql
Add the connect-pg-simple code like you posted
Pass the postgres pool you are using from node-pg.
const session = require('express-session')
const PGSessionStore = require('connect-pg-simple')(session)
const pg = require('pg')
const pool = new pg.Pool({
user: process.env.PG_USERNAME,
host: process.env.PG_HOST,
database: process.env.PG_DATABASE,
password: process.env.PG_PASSWORD,
port: process.env.PG_PORT
})
app.use(session({
store: new PGSessionStore({
pool: pool,
tableName: 'session'
}),
secret: process.env.COOKIE_SECRET,
cookie: {
secure: false,
httpOnly: true,
sameSite: true,
maxAge: 24 * 60 * 60 * 1000
},
saveUninitialized: true,
resave: false
}))
Your session is stored on the app runtime, so on refresh, it resets back every other data it might be holding at runtime on server restart
I am making a one to one chat application using socket.io and mongodb, whenever I refresh the page a new socket connection is formed, whenever user joins the chat he needs to refresh the page at the beginning then only it starts receiving messages. Can anyone tell me how to avoid it?
I am using express-session to store the session.
var sessionInit = session({
name: 'userCookie',
secret: '9743-980-270-india',
resave: true,
httpOnly: true,
saveUninitialized: true,
store: new mongoStore({
mongooseConnection: mongoose.connection
}),
cookie: {
maxAge: 80 * 80 * 800
}
});
app.use(sessionInit);
Maybe not the best thing to do but you can use
window.location.reload();
when someone joins the chat so they don't have to do it by themselves
I set up the session maxAge of express like documented.
Here is my code:
app.use(session({
secret: process.env.SESSION_SECRET,
saveUninitialized: true,
resave: true,
maxAge: 1000* 60 * 60 *24 * 365,
store: new MongoStore({mongooseConnection:mongoose.connection})
}));
But every time I close the browser, I find myself logged out.
Also, note that I am using Passport local, facebook, and google authentications.
They all expire.
In the console, I can see that the connect.sid in the expires/maxAge section lists "Session" while other cookies have dates...
What am I doing wrong?
you need to configure your express-session, and set maxAge on session-cookie
app.use(express.session({
cookie : {
maxAge: 1000* 60 * 60 *24 * 365
},
store : new MongoStore({mongooseConnection:mongoose.connection})
});
//.....
app.use(passport.session());