I have two sailsjs applications running on the same machine (locally), with the first providing REST endpoints for the second. I use the same browser to interact with both the applications. The apps run on different ports.
The problem is, each time I access one application from the browser, the session for the other gets lost, requiring me to login every time I use the browser for testing the REST endpoints. I tried setting the same session secret for both application as a wild guess but it didn't work.
Is there a way to get around this?
I'm using Firefox and the applications are hosted on localhost:9999 and localhost:1337.
Thanks in advance.
You can store your session in your database, that's what connect-mongo does, for instance. I'm sure you can find something like that for sails too.
The issue was that Sails uses the same cookie name/key ('sails.sid') for each application by default. Accessing different Sails applications made the browser override the same session cookie, leading to the described condition.
Changing the key for every application fixed the problem.
In config/session.js, include a key attribute and set it to something application-specific to avoid using sails.sid.
Related
We develop an React application with an Express NodeJS backend and this application is secured by an authentication using IBM App ID. Everything works fine on the authentication mechanism if the application is deployed on a Cloud Foundry Service with only 1 instance running.
For performance and high availability reason we need to scale up the number of instances. Unfortunately, as soon as we add an instance, we face problems with authentication. We loop over the authentication screen several times before the authentication succeeds and we can access the application.
For information, we use a Cloudant database to store the session.
Have you ever encountered this problem and how did you solve it?
Thank you for your feedback.
Technically what you are doing is the right thing.
I've encountered these problems before and first thing is usually local session handling - either the default memory store or some file based session store. You should have this covered, as you say you have sessions in Cloudant, but sometimes when you want to enable local developers running the app, you may need to have some switches to control if the shared store is used, but also if http or https is used.
Why http vs https is important, you probably have 'cookie: { secure: true }' which needs to be flip/flopped in that case. Next you might want to http trace the login attempt to see that you don't accidently use another host name than what you begun with. This could easily happen if your CALLBACK url for App ID changes it. These might still not be your reason, and if it is so - then setup that 2 instance environment, save the logs from app servers, http trace from browser and inspect created sessions from Cloudant. There should be only one session created, one url for application used, same session cookie saved in browser. If any of that does not add up - then you need to figure out why not.
I just discovered that azure app services can scale both up and out. For out this means creating multiple instances. So my question is do I need to change my asp.net web app to support this? For example if a user asks to run an async report that runs in background and then comes back later to download the report will it just work? What about security. If a user has authenticated, gotten a cookie, and then leaves the app alone for a while and then continues will it work? Is there any documentation to help.
If your code doesn't support, you can always switch on server affinity. This ensures the request will route back to the same server. However this is not recommended you want any server to respond, rather the same one they started with.
You don't need to change your code, it will just work and its Azure is smart enough to route traffic to the servers for you, so your question about async, yes that will 100% work.
If you use store information in the cookie, it should work without server affinity, but if you use session, then you most likely will need to turn it on (depending on where session is stored - inproc, sql). Here is an article about server affinity https://blogs.msdn.microsoft.com/appserviceteam/2016/05/16/disable-session-affinity-cookie-arr-cookie-for-azure-web-apps/
Hope that helps
My question is simple. How do I securely share laravel session information with my socket.io nodejs app. I've tried many different methods, none of them worked so I'm hoping a expert will pull through. I already know I don’t want to use JWT Tokens. So I guess that just leaves the session cookie data itself. I cannot figure out how to authenticate socket.io with the cookie so that’s what I need help with. I am storing sessions using redis, and using the default authentication system with laravel.
I’ve tried using this library which is great for parsing the session. But it does not authenticate with my socket.io server.
https://www.npmjs.com/package/node-laravel-session
If anyone knows how to fix this problem I would greatly appreciate some help.
I think, you have problem with authentication problem inside socket.io, idea is that you can't share the session from application to application easily, why? because this data is processed between the client's browser (cookie) and the server ( session ), if you want to connect Laravel and Socket.io, first you have to make some kind of flow like:
When user authenticates on website, to set cookie for socket.io as
well (if host is different).
In background you have to share the session data trough database (memcached, redis etc), and with cookie. As you know, if you set laravel session param to work with database, instead of using files, laravel will automatically start saving session data into DB, so it's easy to read the session params from database.
I think you are using node-laravel-session by wrong, I mean if you have node.js application on other server and you use getSessionFromFile, it will not work. make sure you are using it correctly and it'll work. It's easy process itself to make thing like that, but mostly problem is security when you have cross-project sessions.
Here I will describe the requirement for my project.
Basically I want to build a chat application which I can embed to different websites for example , site build using wordpress, magento, drupal, custom frameworks ... etc . What I actually need is to embed JavaScript for handling socket chat using (socket.io) on some of the website(wordpress, magento, drupal ....), so what I finally have is a set of javascript code (client side), and a server running in nodejs (with socket.io)
The problem I faced is to manage session for registered users after login. Since my code is embedded on different websites and the node server resides on other server , On each page refresh I faced difficult to validate user session session. Could you please help me how I can manage session in a best way for this application.
If you feel difficulty to understand my need , I can explain in detail with examples
Thanking You
If I understand your problem, you just need to handle user sessions? More specifically on the client side?
Based on the information you give, I will just assume you either return a unique string representing the session on the server to the client. The format of this can either be a cookie, a normal string/token, etc.
For cookies, you shouldn't have much problems, since the browser deals with this. Although you might need to set it up correctly on the server.
For tokens/strings that needs to be returned to the server for each request requiring authentication, you should store it in the session-storage/local storage of the browser, depending on your need. Then you should embed it in every requests back to the server and authenticate it.
I have two different applications running on the same server, one is Java-based running in Tomcat with spring-social and spring-security, and the other is a NodeJS application using PassportJS as security framework.
Both apps are configured to access using Google OAuth2 with the same clientId/secret, so I can login with my google account in each of them. But if I change from one of them to another, I need to login again, because the session doesn't exist on the other app.
I'm looking at the session cookies, the Java app creates the JSESSIONID cookie whereas the Node app creates a "connect.sid" cookie. Maybe I could create a session in each app everytime a user do a login? Or I have to deal with OAuth tokens?
Please, could you point me in the right direction? Should I use another library/framework?
Thank you in advance.
This might be of help; it looks like it's relatively easy to change the name of the cookie for Express/Connect. The question then just becomes whether the contents of JSESSIONID and connect.sid are in fact the same.