Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Confusion over session IDs using Connect

Tags:

node.js

I've been observing session IDs over sequential requests and observed some things I cannot explain:

1) When calling req.sessionID vs. req.cookies["connect.sid"] the values are different (it appears the request.sessionID is magically returning the SID from its associated response - which seems impossible to me).

From my understanding of the Connect source code, req.sessionID is synonymous with the cookie key, why the difference?

2) The first time I make a request from the node server, the browser is issued an SID (let's call this SID1). The next time I connect, the browser is issued SID2. The third and subsequent times I am again issued SID2. Why does node+Connect issue two session IDs before settling down?

like image 912
Matt Avatar asked Feb 08 '11 21:02

Matt

2 Answers

The req.sessionID is the same as req.cookies["connect.sid"].

However, if you used supervisor or nodemon, the server is restarted when you modified files. When the server restarts, it will drop all sessions stored by server, but the client didn't clear the old sessionID stored in the cookie. So you can get different sessionIDs.

See this answer for more.

like image 34
iwege Avatar answered Oct 21 '22 11:10

iwege

So this is what I have concluded:

1) As the request is going through middleware/modules, I can only assume the current SID is affixed to the request before logging kicks in. This would be a partial explanation as to why req.sessionID might contained SID2, when req.cookies["connect.sid"] contains the previous SID1.

Some caveats:

  • This phenomenon is only present when the browser connects for the first time to a new node server instance.

  • The browser must have connected to a previous instance of the node server, which issued a cookie with the same key value (e.g. connect.sid).

2) After peeking around the source code for both Sesame and Connect I've come to realise they keep a record of all the sessions IDs they have issued - previously unknown to me. I suspect this is one step towards preventing session fixation.

With that in mind, I realised the SID1 sent in the request during an initial connection was left over from a previous session cookie. Connect would look for a session in its session store matching the SID1 the cookie sent, but as it was a new instance of the node server (just memory sessions here, no persistent sessions ATM), would fail to find it, hence a new SID (SID2) would be issued - this one to stick. Should've thought of this sooner. :)

TL;DR Expected behaviour. Cookies from old sessions are not reused for the sake of security.

like image 109
Matt Avatar answered Oct 21 '22 10:10

Matt
Sign in to Comment

Related questions

AWS Step Function: Function .length() returned error in variable field in Choice state
JS, Browserify: function not defined
Warning: Use Cipheriv for counter mode of aes-256-ctr
How to resize image size in nodejs using multer
Sequelize returns join table in query
TypeError: Describe is not a function. when running a mocha
TypeScript build error TS5023
Failed to find 'JAVA_HOME' environment variable in Mac
How to fix err Jest has detected the following 3 open handles potentially keeping Jest from exiting
Deprecation warning `the server/replset/mongos/db options are deprecated` is showing
how to allow Access-Control-Allow-Origin with koa
Electron "require is not defined"
MIME type ('text/html') is not a supported stylesheet
Sending email from own server to the internets
How to Google Speech-to-Text using Blob sent from Browser to Nodejs Server
How do you stop Chome from always redirecting to https (not desired)?
Serverless command "offline" not found
puppeteer not working on vps but running locally
npm error - verify that the package.json has a valid "main" entry
How to write a websocket client

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!