i've a node app that use a session stored into a cookie.
That app are invoked fron different domain, so i need to store the cookie with the right domain.
I followed this solution
It works but i have a little problem.
I start the app and open my browser the app work fine, the cookie are stored rightly.
Well if restart the app (forever restart) and reload the windows in the browser the app doesn't work, the session are not recognize, but i see the cookie stored as resource in my browser.
If delete the cookie and reload my window the app work fine, the session works rightly and so the app and i see the cookie on my resource.
it works rightly or not?
Any help are appreciated
Related
I'm using express-session to initialize a session and save the cookie. But the process of how the cookie is saved browser side is abstracted away and something of a black box to me, it just happens automatically. Can anyone point to a resource that explains how the client takes the cookie from the response and saves it in local storage? My front facing stack is composed of react, nextjs and urql client.
When you use express-session to initialize a session and save the cookie on the server, the client automatically receives the cookie in the response from the server and saves it in the local storage. This happens because the browser automatically includes the cookie in the request headers for any subsequent requests to the same domain, and the server uses the cookie to identify the user's session.
The process of how the cookie is saved in the local storage and included in the request headers is part of the underlying mechanics of the HTTP protocol and is handled automatically by the browser. It is not something that you need to worry about or configure when using express-session.
If you want to learn more about how cookies work in general, you can check out the following resources:
The official documentation for cookies on the Mozilla Developer
Network: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
A tutorial on cookies from the W3Schools website:
https://www.w3schools.com/js/js_cookies.asp
We develop an React application with an Express NodeJS backend and this application is secured by an authentication using IBM App ID. Everything works fine on the authentication mechanism if the application is deployed on a Cloud Foundry Service with only 1 instance running.
For performance and high availability reason we need to scale up the number of instances. Unfortunately, as soon as we add an instance, we face problems with authentication. We loop over the authentication screen several times before the authentication succeeds and we can access the application.
For information, we use a Cloudant database to store the session.
Have you ever encountered this problem and how did you solve it?
Thank you for your feedback.
Technically what you are doing is the right thing.
I've encountered these problems before and first thing is usually local session handling - either the default memory store or some file based session store. You should have this covered, as you say you have sessions in Cloudant, but sometimes when you want to enable local developers running the app, you may need to have some switches to control if the shared store is used, but also if http or https is used.
Why http vs https is important, you probably have 'cookie: { secure: true }' which needs to be flip/flopped in that case. Next you might want to http trace the login attempt to see that you don't accidently use another host name than what you begun with. This could easily happen if your CALLBACK url for App ID changes it. These might still not be your reason, and if it is so - then setup that 2 instance environment, save the logs from app servers, http trace from browser and inspect created sessions from Cloudant. There should be only one session created, one url for application used, same session cookie saved in browser. If any of that does not add up - then you need to figure out why not.
I am running my web server written in node/locomotive.js on cloud9 terminal. When I try to access it from a client program such as curl, it gets redirected to
https://c9.io/signin.html?redirect=http%3A%2F%2Fchekofvgameserver-c9-linzhp.c9.io%2F
That makes it impossible for any client program to test the server. Access it from a browser works fine, because the browser remembers my cloud9 credentials.
Is there a way to skip the signin page of cloud9?
The problem is that your project is probably a private project. In order to guarantee that only authorized people have access to your running the Cloud9 proxy will intercept calls to your application and check the permissions. If it doesn't find a valid session cookie you will be redirected to the login page. When you use Cloud9 to develop an API server the client will obviously not have that session cookie and fail in the way you described above.
I see two options to work around this:
Use a public workspace instead of a private one
Run curl from inside Cloud9. You can simply open a second terminal and instead of the hostname just use $IP:$PORT to talk to the server
I'm using node/express to make a pure backend api. My front-end (angular.js) is hosted on a separate server. I have a few lines of middleware for every request to allow CORS.
If I start chrome with -args --disable-web-security flags, everything works great!
However if I start it normally, cookies seem to not be getting set in the browser, and therefore sessions on the node side aren't kicking in. This is the same for safari/mobile safari/etc.
I've tried browser options such as "accept all cookies"/"never block cookies". I thought maybe browsers don't like localhost but this is the same behavior on localhost and on actual hosted domains.
The flow is:
I login and the session is set with an id, on success the frontend is directed to the next page. This works, and I console logged req.session.id and it's correct.
On the next page a request is sent, the node server is configured to use the id in the session for this request. With safari/mobile safari/chrome the req.session.id is suddenly empty. With chrome -security disabled, the req.session.id is still correct and behaves just like it should.
please refer to this answer that covers cross-domain cookies and session: Using Express and Node, how to maintain a Session across subdomains/hostheaders
I have two different applications running on the same server, one is Java-based running in Tomcat with spring-social and spring-security, and the other is a NodeJS application using PassportJS as security framework.
Both apps are configured to access using Google OAuth2 with the same clientId/secret, so I can login with my google account in each of them. But if I change from one of them to another, I need to login again, because the session doesn't exist on the other app.
I'm looking at the session cookies, the Java app creates the JSESSIONID cookie whereas the Node app creates a "connect.sid" cookie. Maybe I could create a session in each app everytime a user do a login? Or I have to deal with OAuth tokens?
Please, could you point me in the right direction? Should I use another library/framework?
Thank you in advance.
This might be of help; it looks like it's relatively easy to change the name of the cookie for Express/Connect. The question then just becomes whether the contents of JSESSIONID and connect.sid are in fact the same.