Menu
I have a NodeJS Express app that uses express-session. This works great, as long as session cookies are supported.
Unfortunately it also needs to work with a PhoneGap app that does not support cookies of any kind.
I am wondering: Is it possible to get an express session and access the data in that session, using the sessionID?
I am thinking I could append the sessionID as a querystring parameter for every request sent by the PhoneGap app like so:
https://endpoint.com/dostuff?sessionID=whatever
But I don't know how to tell express to retrieve the session.
908
The Session Store API has an optional all() method "used to get all sessions in the store as an array". You would call it like req. sessionStore. all((err, sessions)=>{ ... })
Express-session - an HTTP server-side framework used to create and manage a session middleware. This tutorial is all about sessions. Thus Express-session library will be the main focus. Cookie-parser - used to parse cookie header to store data on the browser whenever a session is established on the server-side.
var cookieSession = require('cookie-session') var express = require('express') var app = express() app. use(cookieSession({ name: 'session', keys: ['key1', 'key2'] })) // Update a value in the cookie so that the set-cookie will be sent. // Only changes every minute so that it's not sent with every request.
The Express session middleware... calculates a hash over the combination of the session id and a secret. Since calculating the hash requires possession of the secret, an attacker will not be able to generate valid session ids without guessing the secret (or just trying to guess the hash).
You can certainly create an express route/middleware that tricks express-session that the incoming request contains the session cookie. Place something like this before the session middleware:
app.use(function getSessionViaQuerystring(req, res, next) {
var sessionId = req.query.sessionId;
if (!sessionId) return res.send(401); // Or whatever
// Trick the session middleware that you have the cookie;
// Make sure you configure the cookie name, and set 'secure' to false
// in https://github.com/expressjs/session#cookie-options
req.cookies['connect.sid'] = req.query.sessionId;
next();
});
Seems like req.cookies isn't accessible in my case. Here's another solution that recreates the session using the 'x-connect.sid' header (you may use any name or even a query param if you like).
Put this middleware after the session middleware
// FIRST you set up your default session like: app.use(session(options));
// THEN you recreate it using your/custom session ID
app.use(function(req, res, next){
var sessionId = req.header('x-connect.sid');
function makeNew(next){
if (req.sessionStore){
req.sessionStore.get(sessionId, function(err, session){
if (err){
console.error("error while restoring a session by id", err);
}
if (session){
req.sessionStore.createSession(req, session);
}
next();
});
} else {
console.error("req.sessionStore isn't available");
next();
}
}
if (sessionId) {
if (req.session){
req.session.destroy(function(err){
if (err) {
console.error('error while destroying initial session', err);
}
makeNew(next);
});
} else {
makeNew(next);
}
} else {
next();
}
});If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
