Session: Is it possible to detect closed sessions?

Created on 16 May 2019  路  7Comments  路  Source: expressjs/session

For example:

  • a user connects to my server and a session is established, so far so good
  • the server is taken down or crashes
  • the user refreshes and the browser sends the cookie accordingly
  • a load balancer detects that the server was taken down and redirects to another server, however, this server doesn't know about the session that has been established before
  • the server should detect that the user's request provides a proper cookie but the sessionID is invalid

In this scenario I'd like to tell the user that the session has been lost or closed by the server, instead of just redirecting to the login page. Can I detect this scenario using express-session ?

Have a nice day !

question

Most helpful comment

You need to use a session store, this is what they're designed for: stateful sessions. Otherwise you're using the in-memory store, which this repo notes "is purposely not designed for a production environment. It will leak memory under most conditions, does not scale past a single process, and is meant for debugging and developing."

All 7 comments

What are you using for session storage?
Redis https://github.com/tj/connect-redis

app.use(session( /* setup session here */ ))
app.use(function (req, res, next) {
  if (!req.session) {
    return next(new Error('oh no')) // handle error
  }
  next() // otherwise continue
})

I don't specify the storage option. Here's my code:

app.use(session({
    secret: 'something',
    resave: false,
    saveUninitialized: false
}));
app.get('/', (req, res) => {
    if (!req.session.views) req.session.views = 0;
    req.session.views++;
    // send hostname (to identify the server) and the view count according to the session
    res.send('Hostname: ' + os.hostname() + " views: " + req.session.views);
});

I set up a load balancer which basically switched between server 1 and server 2 whenever the client sends a request. That means whenever I reload the page the hostname that is returned by the server alternates between, let's say, s1 and s2. However, the view variable of the req.session object is always 1, because (afaik):

  • a session is created on s1 because there was no previous session, also the views variable is initialized to 0 and incremented to 1
  • the page says: "Hostname: s1 views: 1"
  • when reloading the client's request is sent to s2 but s2 doesn't know the session that s1 has created
  • s2 creates a new session where req.session.views is undefined thus views is initialized to 0 and incremented to 1
  • the page says: "Hostname s2 views: 1"

In this case I want to detect that s1 has already created a session that is sent to s2 (I don't neccessarily want to know the value of views, I just want to detect that the client has a session cookie)
My problem is that in both cases (1) the client sends a request without a session cookie and (2) the client sends a session cookie that is unknown to the server, the req.session object is newly created (because a new session gets created, afaik) and I currently don't know what variable or function I can use to detect whether case 1 or 2 has happened.

Long story short: Is there a way to detect an invalid session before it is overwritten by a new session?

Have a nice day !

You need to use a session store, this is what they're designed for: stateful sessions. Otherwise you're using the in-memory store, which this repo notes "is purposely not designed for a production environment. It will leak memory under most conditions, does not scale past a single process, and is meant for debugging and developing."

If I may suggest, a good option in this case seems to be session-file-store that is also documented in the README, which can be shared between s1 and s2 via a shared drive.

@Fju - do you want to try this out and let us know how it goes? Are you expecting any further information on this topic? Thanks!

That's a possible solution, but it seems kind of counter-intuitive to me. First I load-balance my web server and then I introduce a central session storage that needs to be queried? That's the opposite of what I wanted to achieve. Don't get me wrong, maybe it's performing well - I haven't tried it yet. But the theory sounds kind of illogical.
Anyway, I don't use expressjs anymore. When I did, I fixed this "problem" by using a load-balancing proxy (HAproxy if I remember correctly) that prefixed the session cookie with s1~ or s2~. This way, the proxy was able to determine, which server the request belongs to - no central storage needed. It's a safe fix and easy to set up. If I find my HAproxy configuration file somewhere, I will post it here - since it's kind of related to this issue thread.
But be aware, if a server is not available the session information will be lost, since only one server stores the session information of a client. This won't occure with a central session storage.

@Fju - thanks; I understand your scenario, and the rationale to use the specific configuration you mentioned. At high level, distributed computing operates with many tradeoffs, and there is no single balancing formulae that fits all use cases. In this scenario, I guess the most notable tradeoffs are RPO (Recovery Point Objective) with architectural flexibility - ability to use a reverse proxy in the middle etc.

If nothing more to be diagnosed as part of this issue, I suggest we clsose this issue?

I agree on closing this issue, thanks for your wrap-up on this topic @gireeshpunathil

Was this page helpful?
0 / 5 - 0 ratings

Related issues

shaunwarman picture shaunwarman  路  17Comments

azfar picture azfar  路  14Comments

G-Adams picture G-Adams  路  16Comments

gk0us picture gk0us  路  18Comments

Jpunt picture Jpunt  路  17Comments