I am using passport.js local strategy for login but not being able to set session. I have two servers i.e. localhost:3000 is for node and another is localhost:4200. Here I want to set session on request from localhost:4200.
How your session is configured ??
Here's an example of how you can do it.
app.use(session({
secret: 'some secret that must not be explicit in code',
saveUninitialized: true,
resave: true,
store: new MongoStore({
mongooseConnection: mongoose.connection
})
}))
Related
I have a Node.js API on api.com that authenticates users based on Sessions. How can I save session from api in api.com to client.com?
For example; I'm going to send a request from client.com to api.com and add a session cookie to client.com from the api on api.com.
My session settings;
app.use(session({
secret: process.env.SECRET,
resave: false,
saveUninitialized: false,
store
}))
Basically, I have a sign-in form, running on AUTH.domain.com and I create a session (saved in cookie) for the logged users. Then I redirect the user to APP.domain.com, and I need his session to be passed also to this subdomain, but we can't figure, how to do that.
Authorization works with passport.js, and session set from passport.js
I tried set domain option on cookies middleware and set res.sessionOption.domain = '.domain.com'. But this does work.
app.use(cookiesession({
secret: 'secretstring',
saveUninitialized: false,
resave: true,
domain: '.domain.com'
}));
app.use(passport.initialize());
app.use(passport.session());
req.sessionOptions.domain = '.domain.com';
Try setting the domain to domain.com (note the omission of the preceding .)!
In my app, two types of users get logged in: normal users and admin users. Right now I am using single session for both type of users and my app is behaving abnormal. When two or more users get logged in, after sometime some user gets logout unexpectedly.
I thought this problem was occurred due to single session and I tried to split into two different sessions as,
//manage session for normal user
app.use('/', session({
key: USER_SESS_NAME,
resave: false,
saveUninitialized: false,
secret: SESSION_SECRET,
cookie: {
expires: 600000
}
}));
//manage session for admin
app.use('/admin', session({
key: ADMIN_SESS_NAME,
resave: false,
saveUninitialized: false,
secret: SESSION_SECRET,
cookie: {
expires: 600000
}
}));
Also, all routes for normal user starts with '/' and for admin they starts with '/admin' so I split sessions as above.
I don't know whether it is right way of creating two different sessions. Moreover, the session for admin is also not working as expected. When I get logout as normal user, I also get logged out from admin. What is the best way of handling these sessions and what things we need to do while logging out??
Use a single session for all user types. The best way will be to use account type in session to separate users.
Whenever a user signs up, set the value for normal user and admin user. In your session secret include the account type.
The format should look like:
secret: YOUR_SECRET.usertype
so that you can split it with the dot and determine the user type. This way you will have a single session with user-type on it.
I'm using express-session for my app. Cookies are set and users are authorised when deployed on Heroku which by default serves the app on a secure connection. When working locally on localhost with a non https connection the session is not initialised thus causing me to get a 401 back everytime. I cannot find any answers for this. My code is as follows:
app.use(session({
name: consts.SESSION_COOKIE_NAME,
secret: consts.SECRET_KEY,
saveUninitialized: false,
resave: true,
cookie:{
httpOnly: true,
secure: false
}
}));
If I am using the default express session store with the same keys on different web servers behind a load-balancer will I need sticky sessions for them to work?
app.use(session({
secret: 'keyboard cat',
resave: false,
saveUninitialized: true
}));
Or will I have to use a persistent store like Redis? I do not want to use sticky sessions.