Session: req.sessionID changes after previous request

Created on 21 Apr 2019  路  9Comments  路  Source: expressjs/session

I'm working on authentication with twitter in MERN stack for an e-commerce site. Let me guide where the issue comes up in the flow of my authentication

3-LEGGED-FLOW

  1. User is click an anchor tag in the client (...in this case react) which points to my server
    "/login" that request a token from twitter api and then set req.session.token from here before redirecting the user to authorization page(i.e api.twitter.com/oauth/authenticate)
    `
    NOTE: this is done after the request I made to twitter to request a request_token
    url query params contains the oauth_token and secret

        //save the oauth token and secret to session
        //to verify against the user when the user accepted 
        //the authentication from twitter
        req.session.token = oauth_token
        req.session.token_secret = oauth_token_secret
    
        //redirect the user to the authorization page
        //and redirect back to client with the oauth_token and oauth_verifier
        //in the query parameters
        const uri = `https://api.twitter.com/oauth/authenticate?${qs.stringify({oauth_token:oauth_token})}`
        res.redirect(uri)
    
    `
    
  2. As the step 1 says the twitter will redirect the user to the client(REACT), in this state I verified that the connect.sid is stored in the cookies in storage inspected dev tools. I then made a another subsequent request to the server at "/redirect" route to request for an access token.

I'm expecting that the server recognized me with the cookies that I have but it's not. When I logged the req.sessionID, i got a different sessionID from step 1

this is the configuration for my session
app.use(session({ secret:"loyalty", resave:false, saveUninitialized:false, cookie:{ maxAge: 1000 * 60 * 60, httpOnly:false, secure:false } }))

and my cors config as-well
const corsOpts = { origin:CORS_ORIGIN, credentials:true, }

awaiting more info

All 9 comments

Usually the only reasons the ID changes is because either the browser did not send the cookie (so this module generates a new ID) or the old ID is no longer in the store provided.

Would it be possible to provide the debug logs during this flow? Set environment variable DEBUG=express-session and then debug will be written to STDERR.

Usually the only reasons the ID changes is because either the browser did not send the cookie (so this module generates a new ID) or the old ID is no longer in the store provided.

Would it be possible to provide the debug logs during this flow? Set environment variable DEBUG=express-session and then debug will be written to STDERR.

Here's the debug log

express-session no SID sent, generating session +0ms
express-session saving mLQtgVJBNQuAhY4xJ7qyxcrIQaOYb4PE +654ms
express-session split response +3ms
express-session set-cookie connect.sid=s%3AmLQtgVJBNQuAhY4xJ7qyxcrIQaOYb4PE.A9iPJWiNFfNufngthfEp6bjhTVzXYK6pqmG4IludutY; Path=/; Expires=Sun, 21 Apr 2019 14:02:18 GMT +5ms
express-session no SID sent, generating session +6s
express-session no SID sent, generating session +808ms

The memoryStore still stores the previous session data which is generated from step 1

here's the MemoryStore

MemoryStore {
     _events:
      [Object: null prototype] {
        disconnect: [Function: ondisconnect],
        connect: [Function: onconnect] },
     _eventsCount: 2,
     _maxListeners: undefined,
     sessions:
      [Object: null prototype] {
        mLQtgVJBNQuAhY4xJ7qyxcrIQaOYb4PE:
         '{"cookie":{"originalMaxAge":3600000,"expires":"2019-04-21T14:02:18.506Z","secure":false,"httpOnly":false,"path":"/"},"token":"uFIPRgAAAAAA8vAZAAABaj_9faM","token_secret":"a3ll99t5q6mKMjNExINyzXkB98g9EcGm"}' },
     generate: [Function] },

PS: I'm sorry for the format of this reply, can't seem to fix it properly in this editor

So the logs indicate that the client (web browser?) is not sending the cookie back. Without the cookie in the request, even though the value is in the memory store it cannot be loaded since the ID is not in the request.

So the logs indicate that the client (web browser?) is not sending the cookie back. Without the cookie in the request, even though the value is in the memory store it cannot be loaded since the ID is not in the request.

In that case, will the browser send cookies along a request (i.e through AJAX ) even though I specified the withCredentials property to be true on that particular request?

I think so, but it doesn't seem to be the case here. I am more of a backend person so not really familiar with all the front end things like ajax and the like to give you a good answer.

From the backend perspective (mine and this module) the cookie header just needs to be on the request with the cookie name and value however you would configure that on the client side.

I think I know now what's wrong here, looking into my code again I saw that I completely forgot the request is firing a pre-flight request from the browser and that request is being filtered in the OPTIONS.

Such a silly mistake, my bad. I just noticed it after a long day of debugging that I forgot to pass the config for that middleware. That express-session debugger help me a lot too, will make sure to utilize that! Thanks man, you helped me a lot! I can rest now.

Closing this now...

How did you solve it? I've got preflight requests aswell, and I see req.sessionID is changed on every request, does this has something to do with the preflight?

Hello, It's been a long time when I encountered this problem. If I remembered correctly, you just need to allow "crendentials" in your cors configuration.

Yes, it has something to do with the preflight request. If you're using express, you could pass your cors middleware with your cors config on _"options"_ namespace in your target route.
e.g. app.options("/targetRoute", cors(corsConfig))

I hope that'll help.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

fibo picture fibo  路  22Comments

alex55132 picture alex55132  路  22Comments

scaryguy picture scaryguy  路  16Comments

Jpunt picture Jpunt  路  17Comments

skoranga picture skoranga  路  30Comments