Express-session is creating a new session (new sessionID) for new request. And it happens intermittently, for example sometimes for first 3-4 hits it will work fine and keep using same existing session and on 4th hit it will create a new one, Sometimes it will create new session on first request itself.
Things that i have already tried and are not working..
Express session is created after static file routes.
Express session secret and cookieParser secret are set to same.
Using app.use(favicon(path.join(__dirname, 'public', 'favicon.ico'))); for favicon.
Setting very high value for max-age field while creating cookie.
Below is my app.js snippet -
var passport = require('passport');
var expressSession = require('express-session');
var app = express();
app.engine('hbs', hbs.express4({
partialsDir: __dirname + '/views/partials'
}));
app.set('view engine', 'hbs');
app.set('views', path.join(__dirname, 'views'));
app.use(favicon(path.join(__dirname, 'public', 'favicon.ico')));
app.use(logger('dev'));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(express.static(path.join(__dirname, 'public')));
var flash = require('connect-flash');
app.use(flash());
var initPassport = require('./passport/init');
initPassport(passport);
//app.use(bodyParser.urlencoded());
app.use(cookieParser('mysecret'));
app.use(expressSession({ secret: 'mysecret', name:'user', cookie: {maxAge: 60000000}}));
app.use(passport.initialize());
app.use(passport.session());
You don't need cookie-parser. (though I haven't tested if this is the issue...)
Note Since version 1.5.0, the cookie-parser middleware no longer needs to be used for this module to work. This module now directly reads and writes cookies on req/res. Using cookie-parser may result in issues if the secret is not the same between this module and cookie-parser.
Hey @justiko
Your example above doesn't have anything after the session middleware is used. what is the expected behavior and what are you seeing? i.e. where are you setting or looking for the session?
If you can provide a sample app that reproduces the behavior with all of the versions, including which version of Node, it will make it much easier for someone to find the issue.
@JoeWagner - I am using Node 5.11.1
To check the sessionID behavior i used below code in my app.js-
app.all('*', function (req, res, next) {
console.log(req.session);
console.log(req.sessionID);
next(); // pass control to the next handler
});
I placed above code right after the below line in my app.js-
app.use(expressSession({ secret: 'mysecret', name:'user', cookie: {maxAge: 60000000}}));
On continuous refreshing the page I was intermittently seeing different SessionIDs in my logs.
I am using passport for login which sets a cookie in express session. Now because every time a new session is getting created, i am not able to access serialized user id stored in session for logged in user. New sessionIDs in logs confirmed that issue is not with passport authentication but with session.
I don't have sample app because I have replaced my code with MongoStore in app to make it work.
@justiko Are you saying that when you use a MongoStore everything works?
As far as I can tell there isn't anything wrong with the code you've provided above. If you want to try to isolate the issue into some code that someone else can run that would be great. Otherwise I would suggest starting by looking to ensure the cookie is present in requests.
Yes after changing the code to MongoStore things are working. But I am still not able to figure out what was causing the issue with OOTB memory store. Could it be because my hosting server is not persisting session in memory or an issue in express-session itself when using with memory store. I'll try to deploy another app on my hosting to replicate the issue.
The memory store is not designed for anything past running tests and local development use. If you're curious why, you can search through older issues for the reasoning.
I've encountered a similar problem, except it was because I wasn't including cookies when using the browser fetch.
It sounds like the issue has been resolved, so I'm going to close it :) As for the memory store comments, usually the main issue is that most PaaS providers like Heroku will run your app as multiple instances, and since memory does not span Node.js processes, each instance will effectively have a different session ID list, causing new session creation when a request hits a different instance than the one it was created on.
@dougwilson I verified the problem. Problem is with PasS provider only, Its the same issue which you mentioned that memory does not span Node Process. Thank you for closing it.
For those googling around for this same issue, I fixed mine by setting the flag saveUninitialized: false in the session middleware.
Most helpful comment
I've encountered a similar problem, except it was because I wasn't including cookies when using the browser fetch.