Menu
I configure the express-session plugin like this:
var express = require('express'),
session = require('express-session'),
uuid = require('node-uuid');
var expiration_day = new Date('9/15/2015'),
today = new Date(),
session_life = Math.abs(expiration_day.getTime() - today.getTime());
var config = {
name: 'mycookie', // session ID cookie name
key: 'mycookie', // session ID cookie name
secret: '$FGDFH$W#WEgfgdf',
hash: {
salt: '9883hjHFIDSU&U#H'
},
store: new MongoStore({mongooseConnection: db}),
unset: 'keep', //never remove expired sessions
saveUninitialized: true, //always create session, even if nothing is stored
resave: false, //don't save session if unmodified
ttl: session_life,
autoRemove: 'disabled', //disable expired sessions cleaning
genid: function (req) {
"use strict";
return uuid.v4();
},
cookie: {
path: '/api', // cookie will be stored for requests under '/api'
httpOnly: false,
domain: 'example.com',
secure: false,
expires: expiration_day,
maxAge: session_life
}
};
app.sessionMW = session(config);//session middleware
In the Chrome and Mozilla Firefox browsers, only one session is created for the user. This session is available on all routes that use the sessionMW middleware. So if you do a GET or POST request to /api/users/ or /api/sessions, the same session id is stored in a cookie and is sent in the cookie header for each request.
Internet Explorer does not work that way. For each request, a new session is created. The session is stored on the server and I have confirmed that there is a new cookie in the browser for each route of the application.
I have defined the domain, the path and the expiration in the cookies. The cookie in IE shows these values.
I do not use cookieParser, so that can't be the problem.
The problem seems to be on the client-side, anyway. Internet Explorer is not sending the Cookie header with the request. It receives the set-cookie header in the response for each request. But the data is never re-used on subsequent requests.
Could this be a CORS issue? The cookie is not for the same domain on which I am running the application. I need a session on all routes of the API hosted on another domain.
The client-side is configured to include cookies in CORS requests:
$.ajaxSetup({
cache: false,
xhrFields: {
withCredentials: true //all AJAX requests should include Cookie data
}
});
I send these accept-control headers in the response to each request:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type,
Accept Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH
Access-Control-Allow-Origin: http://example.com
Why is IE not setting the Cookie header in the requests? The domain does not have underscore in its name and it does not start with a number.
862
Express-session - an HTTP server-side framework used to create and manage a session middleware. This tutorial is all about sessions. Thus Express-session library will be the main focus. Cookie-parser - used to parse cookie header to store data on the browser whenever a session is established on the server-side.
Where is the session data stored? It depends on how you set up the express-session module. All solutions store the session id in a cookie, and keep the data server-side. The client will receive the session id in a cookie, and will send it along with every HTTP request.
Cookie session is basically used for lightweight session applications where the session data is stored in a cookie but within the client [browser], whereas, Express Session stores just a mere session identifier within a cookie in the client end, whilst storing the session data entirely on the server.
The session secret is a key used for signing and/or encrypting cookies set by the application to maintain session state.
Because ASP session state and session variables rely on cookies to function, ASP cannot maintain session state between requests if cookies cannot be set on the client. This issue can also be caused by an incorrect name syntax in a host header.
Installation is done using the npm install command: Create a session middleware with the given options. Note Session data is not saved in the cookie itself, just the session ID. Session data is stored server-side. Note Since version 1.5.0, the cookie-parser middleware no longer needs to be used for this module to work.
express-session-cache-manager A store that implements cache-manager, which supports a variety of storage types. express-session-etcd3 An etcd3 based session store.
The session argument should be a session if found, otherwise null or undefined if the session was not found (and there was no error). A special case is made when error.code === 'ENOENT' to act like callback (null, null). This required method is used to upsert a session into the store given a session ID ( sid) and session ( session) object.
For those of you using fetch be sure to set the credentials to include
fetch('/url/', { credentials: 'include' });
Otherwise the session Id will not be included with the request in IE Edge
98
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
