I have two services running on different sub-domains: 1) Node.js, Express, PassportJS, 2) PHP based. Both services are exposed in same portal, in order to avoid requiring user to enter credentials twice, we call Node.js login API from PHP server. Node returns session cookie (connect.sid), we forward this to client with domain set to <<rootdomain>>.com. Now when client calls Node.js, we can see cookie being sent to Node but still Node fails to authenticate.
I have verified following things:
Login API call from PHP server to Node returns success with connect.sid cookie and adds session entry into Redis server (We are using Redis for storing sessions)
Cookie is set correctly in browser
When browser calls Node.js connect.sid cookie is sent to server
If we call login API directly from client, everything works as expected. Basically stand alone Node app works without any issues.
I am curious whether Node uses User-agent, IP or something to validate connect.sid cookie? Or is it something related to Passport/Express session params values? What might be wrong? FYI, currently site is not running on SSL.
Here are my session params:
store = new RedisStore({
port: 6379,
host: 'localhost',
client : redis
});
var sess = {
store: store,
secret: 'some secret',
rolling: true,
cookie: { maxAge : 36000000, secure: false },
saveUninitialized: true,
resave: true,
sortName: 0,
sortModified:0,
sortSize: 0
};
Thanks in advance
Related
After we migrated our website from http scheme to https (including enabling https on CDN and redirecting http to https on server), we found that our user sessions works incorrectly sometimes, that is, the user A would be recognized as user B! It seems the session ids of cookies are incorrectly parsed and maybe different users share the same cookies or session ids but all the session ids are generated by uid-safe uniquely.
The issue seems very strange and we really have no idea of the cause.
we use nodejs, Express, express-session with redis storage.
The express-session setup is as below:
app.use(session({
secret: 'xxxx',
cookie: {
maxAge: 3600*24*90*1000
},
store: new redisStore(),
resave: false,
rolling: true,
saveUninitialized: false
}));
I'm busy building a platform with 3 different subdomains - example.com, auth.example.com and api.example.com. They're run with 3 separate NodeJS apps running on different ports of the server.
Here is the code setting up the sessions:
var session = require("express-session");
var redisStore = require("connect-redis")(session);
var redisClient = require("redis").createClient(config.redis);
app.use(session({
secret: config.server.secret,
store: new redisStore(config.redis),
client: redisClient,
resave: false,
saveUninitialized: false,
cookie: {
domain: "example.co.za",
httpOnly: false
}
}));
The configuration is exactly the same for all 3 apps and they're sitting on the same server. For some reason, the sessions are not being shared. I seem to remember that they were being shared a few weeks back and now things are broken - I have a sneaky suspision that this happened when we moved all the traffic from HTTP to HTTPS. Would this break the sessions? I tried to turn of 'httpOnly' in case it restricted the sessions, but no luck.
I have run redid-cli MONITOR and the session is, in fact, being saved on login (Auth App) but is not being retrieved by the other app. When I turned saveUninitialized to true, the requests to save were coming from all 3 apps - this shows that they are connected to the same Redis Store.
Any help would be great.
I think this is just a cookie issue. The browser is not sending the session cookie back on your sub-domains:
you need a leading . on the domain. e.g.:
cookie: {
domain: ".example.co.za",
httpOnly: false
}
In case that doesn't work and you are having AJAX issues see this post
I have a node server.It uses express for session handling .
I have set httpOnly: false. I am trying to retrieve the session cookie from a cordova app running on localHost. when I run the node server on localhost I can retrieve the cookie, but when I run the same node server on Openshift cloud ,I can not retrieve the cookie . why is it so?
My express Session configuration is as follows:
{name:'session.id',
secret: 'xyz',
resave:false,
saveUninitialized:false,
cookie: { maxAge: null,httpOnly:false}}
After a bit of googling I found that cross domain session cookies reading is forbidden in new browsers.Thus there is no way I could read the cookies.But since I have control of the server in this case ,I can retrieve the cookies from the server by using normal GET request to my server.
I am using iodocs from Mashery to be the developer front end to my REST API. My API is written with Node / Express, and uses PassportJS to authenticate the user (local strategy). My implementation requires the user to use the /login endpoint, passing in username and password. Then, Passport serializes the user in a cookie, so that subsequent requests do not need to log in.
When using iodocs, the cookie that Passport sets ("connect.sid") is not passed back in subsequent requests.
Is there a way to do this? Is there an authentication method that IODocs supports that works this way?
Cookies WILL traverse across the ports. An issue you may be encountering is that "connect.sid" is also being set by I/O Docs in that it's using the Express session.js middleware module, so that cookie value is probably getting overwritten.
Try updating I/O Docs app.js with a different cookie name in the session initializer -- setting the "key" value:
app.use(express.session({
secret: config.sessionSecret,
key: 'iodocs.connect.sid',
store: new RedisStore({
'host': config.redis.host,
'port': config.redis.port,
'pass': config.redis.password,
'maxAge': 1209600000
})
}));
I am having two subdomains, api.abc.com and beta.abc.com. Both of them are on same server (box), api.abc.com is running on port 4000 and the beta.abc.com is running on 5000. I am also using node-htty-proxy to reverse proxy the requests. beta.abc.com is used to serve only static content, while api.abc.com returns the response in json.
The user authentication is done through facebook oauth on the server (api) side. Once that is done, session is created and the user is redirected to the beta. The problem I am having here is I am not able to persist sessions! I tried giving the domain option in the cookie obj (as i had seen in other questions), even that din't work.
app.use(express.session({
secret: 'omg'
, store: new mongoStore({
url: config.db.uri
, collection: 'sessions'
})
, cookie: {
domain: ".abc.com"
, maxAge: 1000*60*60*24*30*12
}
}))
How do I go about this? Am I doing anything wrong?
I found a very similar question here.