-
Notifications
You must be signed in to change notification settings - Fork 341
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session created for every request #484
Comments
I think I might have found a solution, atleast when testing in my local environment:
// CORS configuration
const cors_options = {
origin: 'http://localhost:3000', // Replace with your allowed origin(s)
credentials: true, // Allow credentials (cookies, authorization headers, etc.)
};
app.use(cors(cors_options));
app.use(cookieParser());
// session configuration object
const session_config = {
// secret used to sign the session ID cookie
secret: process.env.SESSION_SECRET,
// forces the session to be saved back to the session store, even if it was never modified during the request
resave: false,
// forces a session that is "uninitialized" to be saved to the store
saveUninitialized: false,
// cookie settings
cookie: {
// secure cookie only sent over HTTPS if in production
secure: false,
// maxAge: 2 * 60 * 60 * 1000 // 2 hours in milliseconds, if not set, the cookie will expire when the browser is closed
httpOnly: true,
path: '/'
},
// use connect-mongo to store sessions in MongoDB
store: MongoStore.create({
clientPromise: Promise.resolve(mongodb_client), // use the existing mongodb client
dbName: 'express_sessions', // specify the database name
collectionName: 'express_sessions', // specify the collection name
autoRemove: 'native', // native is the default
// crypto: {
// secret: process.env.SESSION_STORAGE_CRYPTO_SECRET,
// algorithm: 'aes-256-gcm'
// }
})
};
app.use(session(session_config)); I am still testing, but wanted to post back in case it saved someone the time in writing a response. Obviously, I will need to modify the security related settings for production, but I will look at that next. The good news is now only 1 session is being created in the MongoDB database. |
I'm submitting a ...
[ X ] question about how to use this project
Summary
I've been troubleshooting this issue for several hours and have googled things like:
I can also see that several issues in this repo on the same topic have been resolved and closed.
I have tried all the solutions that others seem to have found resolved the issue, ie:
saveUninitialized
tofalse
sameSite
tonone
cors
and setcredentials
totrue
My initial problem started when I noticed an Azure AD auto-signin redirect back to my application's
/redirect
endpoint was creating a different session than the one that was created during the initial Azure AD B2C signin, and so I could see that two session object entries were added to my MongoDB Atlas database.Then I added some
console.log()
statements to log outreq.session
values and sessions started being created in the database for every request (images, js, css etc).I just thought I would post a chunk of my testing code below to ask if I am doing anything obviously wrong:
I'd appreciate any tips that could lead to a solution.
Thank You.
The text was updated successfully, but these errors were encountered: