Session: express-session creates new session over https

Created on 20 May 2020  路  8Comments  路  Source: expressjs/session

I am using express-session with redis and as soon as I deploy the code to elastic beanstalk and use https, new session is created upon every request. If I use http then it works as expected.
The problem is not with redis as I had the same issue before when I was using the memory to store the session

const app = express();
app.set('trust proxy', 1)

app.use(session({
  secret: uuidv4(),
  name: 'name_',
  resave: false,
  saveUninitialized: true,
  store: new redisStore({ client: redisClient, ttl: 86400 }),
  cookie: { secure: true }
}))

awaiting more info question

All 8 comments

Hello @siyavash4812 you will need to provide a minimal working program just the setup.
I have taken the settings you have and it is working.

const fs = require('fs');
const express = require('express');
const session = require('express-session');
const path = require('path');
const redis = require('redis');
const app = express();
const cookieParse = require('cookie-parser');
const uuidv4 = require('uuidv4').uuid;
const RedisStore = require('connect-redis')(session);
const redisClient = redis.createClient();
const https = require('https');
const debug = require('debug')('test-session');
const secret = 'some random secret 123';
app.use(cookieParse(secret));
app.use(
  session({
    secret: uuidv4(),
    name: 'name_',
    resave: false,
    saveUninitialized: true,
    store: new RedisStore({ client: redisClient, ttl: 86400 }),
    cookie: { secure: true }
  })
);

app.use('/', (req, res, next) => {
  debug(`session in client is ${JSON.stringify(req.session, null, 2)}`);
  req.session.status = "ok"
  res.json({status: "ok"})
});

https.createServer({
  key: fs.readFileSync(path.join(__dirname, './certs/key.pem')),
  cert: fs.readFileSync(path.join(__dirname, './certs/cert.pem')),
  passphrase: 'abc123',
}, app)
  .listen(3000);

I may have mis-understood the question. So please provide more information. I'm reading this as keeps creating a new session on each request.

Apologies, it has just occurred to me. Are you calling uuidv4 each time? I am not sure of your environment but is your secret being generated each time?

Thank you for your message, the uuid is called once so I dont think that is the problem and I think If that was the issue, http would also be broken. I did some more digging and it seems like I have the exact same problem as renehauck (https://github.com/expressjs/session/issues/652). However, in my case I do receive "x-forwarded-proto": "https"

ok, so this is good information. Would it be possible to run the code with

DEBUG=express-session node app.js

so we could capture some of the output?

What I am trying to work out is for https

  • is the cookie sent each time? Was the cookie dropped for non-secure?
  • or is a secure cookie dropped and a new session created each time?

I finally found out what was the problem 馃帀 Cloudfront was not sending any cookies to my server. Such a silly mistake

Wow , so glad you found out. How did you work this out, and how are you going to remedy it?

closing as this is resolved, if the author provides more information it would help the community as cloudfront is widely used. What did @siyavash4812 do to allow cookie passing?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

inkquery picture inkquery  路  3Comments

noisytoken picture noisytoken  路  4Comments

dumpsayamrat picture dumpsayamrat  路  4Comments

brimsey picture brimsey  路  3Comments

sarovin picture sarovin  路  4Comments