For example:
In this scenario I'd like to tell the user that the session has been lost or closed by the server, instead of just redirecting to the login page. Can I detect this scenario using express-session ?
Have a nice day !
What are you using for session storage?
Redis https://github.com/tj/connect-redis
app.use(session( /* setup session here */ ))
app.use(function (req, res, next) {
if (!req.session) {
return next(new Error('oh no')) // handle error
}
next() // otherwise continue
})
I don't specify the storage option. Here's my code:
app.use(session({
secret: 'something',
resave: false,
saveUninitialized: false
}));
app.get('/', (req, res) => {
if (!req.session.views) req.session.views = 0;
req.session.views++;
// send hostname (to identify the server) and the view count according to the session
res.send('Hostname: ' + os.hostname() + " views: " + req.session.views);
});
I set up a load balancer which basically switched between server 1 and server 2 whenever the client sends a request. That means whenever I reload the page the hostname that is returned by the server alternates between, let's say, s1 and s2. However, the view variable of the req.session object is always 1, because (afaik):
req.session.views is undefined thus views is initialized to 0 and incremented to 1In this case I want to detect that s1 has already created a session that is sent to s2 (I don't neccessarily want to know the value of views, I just want to detect that the client has a session cookie)
My problem is that in both cases (1) the client sends a request without a session cookie and (2) the client sends a session cookie that is unknown to the server, the req.session object is newly created (because a new session gets created, afaik) and I currently don't know what variable or function I can use to detect whether case 1 or 2 has happened.
Long story short: Is there a way to detect an invalid session before it is overwritten by a new session?
Have a nice day !
You need to use a session store, this is what they're designed for: stateful sessions. Otherwise you're using the in-memory store, which this repo notes "is purposely not designed for a production environment. It will leak memory under most conditions, does not scale past a single process, and is meant for debugging and developing."
If I may suggest, a good option in this case seems to be session-file-store that is also documented in the README, which can be shared between s1 and s2 via a shared drive.
@Fju - do you want to try this out and let us know how it goes? Are you expecting any further information on this topic? Thanks!
That's a possible solution, but it seems kind of counter-intuitive to me. First I load-balance my web server and then I introduce a central session storage that needs to be queried? That's the opposite of what I wanted to achieve. Don't get me wrong, maybe it's performing well - I haven't tried it yet. But the theory sounds kind of illogical.
Anyway, I don't use expressjs anymore. When I did, I fixed this "problem" by using a load-balancing proxy (HAproxy if I remember correctly) that prefixed the session cookie with s1~ or s2~. This way, the proxy was able to determine, which server the request belongs to - no central storage needed. It's a safe fix and easy to set up. If I find my HAproxy configuration file somewhere, I will post it here - since it's kind of related to this issue thread.
But be aware, if a server is not available the session information will be lost, since only one server stores the session information of a client. This won't occure with a central session storage.
@Fju - thanks; I understand your scenario, and the rationale to use the specific configuration you mentioned. At high level, distributed computing operates with many tradeoffs, and there is no single balancing formulae that fits all use cases. In this scenario, I guess the most notable tradeoffs are RPO (Recovery Point Objective) with architectural flexibility - ability to use a reverse proxy in the middle etc.
If nothing more to be diagnosed as part of this issue, I suggest we clsose this issue?
I agree on closing this issue, thanks for your wrap-up on this topic @gireeshpunathil
Most helpful comment
You need to use a session store, this is what they're designed for: stateful sessions. Otherwise you're using the in-memory store, which this repo notes "is purposely not designed for a production environment. It will leak memory under most conditions, does not scale past a single process, and is meant for debugging and developing."