Parameters of session:false not work

[jcyh0120]

I tried this example code passport-local-example and applied parameters to local strategy.

//express-4.x-local-example/server.js
passport.use(new LocalStrategy({
  usernameField: 'email',
  passwordField: 'passwd',
  passReqToCallback: true,
  session: false
}, function(req, username, password, done) {
  // request object is now first argument
  // ...
  }));

However, it seems that session is still in use. I could get user's password from req.session.user.

Only username , password, callback are set in this lib.

//passport-local/lib/strategy.js
function Strategy(options, verify) {
  if (typeof options == 'function') {
    verify = options;
    options = {};
  }
  if (!verify) { throw new TypeError('LocalStrategy requires a verify callback'); }

  this._usernameField = options.usernameField || 'username';
  this._passwordField = options.passwordField || 'password';

  passport.Strategy.call(this);
  this.name = 'local';
  this._verify = verify;
  this._passReqToCallback = options.passReqToCallback;
}

I don't have experience in security. Is it correct that I could get user's password in req.user.password? Will this be unsafe?

[barroudjo]

I also realized that sessions are always in use, even when set to false in the strategy options. This is an issue, right ?

[micmro]

Bit of a late answer but as reference for everyone else:

The sessions option described int he readme appears to be wrong (see PR to fix this).

It needs to be added to the passport.authenticate middleware initialization instead (source):

app.post('/login', passport.authenticate(['local'], {
    session: true
    /** other options **/
  }), (req, res) => {
    /** your handler */
  })

[wzup]

Same here https://github.com/jaredhanson/passport-local/issues/155

session: false has to be in

passport.authenticate('local', {session:false})