search

jaredhanson / passport-local

Username and password authentication strategy for Passport and Node.js.
https://www.passportjs.org/packages/passport-local/?utm_source=github&utm_medium=referral&utm_campaign=passport-local&utm_content=about
MIT License
2.73k stars 498 forks source link

Shared Session #94

Open jeremykentbgross opened 9 years ago

jeremykentbgross commented 9 years ago

I have been having issues that I thought were a browser fault where it appeared that multiple requests eventually got gave a different cookie and got a different session.

After sleeping on it it occurred to me that maybe this was because I was using the same user login on multiple devices, and multiple browsers on each of those devices, and maybe I am either somehow doing this wrong, or perhaps it isn't supported properly. So I restarted my app and logged in with the (formerly most) troublesome device+browser combination. After this restart it worked perfectly on that device which seems to confirm my suspicion.

I am wondering: do I need to keep track of multiple sessions per user myself and somehow identify all the unique devices/browsers/(and proxy routings someday as needed) they might use at the same time separately? If so, how should I do this? If not, am I doing something else wrong?

My code for handling the logins as is follows:

var LocalStrategy = require('passport-local').Strategy;

module.exports =
{
    init: function init(inPassport, inUsers)
    {
        console.log("Using Local Memory Storage");

        inPassport.use(
            new LocalStrategy(
                function(inUsername, inPassword, inDone)
                {
                    var aUser;

                    console.log('Trying to login user:', inUsername);

                    aUser = inUsers[inUsername];
                    if(!aUser)
                    {
                        console.log('No User:', inUsername);
                        return inDone(null, false, { message: 'Incorrect username or password.' });
                    }

                    if(/*aUser.userName === inUsername && */aUser.password === inPassword)
                    {
                        console.log('User Found:', inUsername);
                        return inDone(null, aUser);
                    }

                    console.log('Bad Password for:', inUsername);
                    return inDone(null, false, { message: 'Incorrect username or password.' });
                }
            )
        );

        inPassport.deserializeUser(
            function(inUsername, inDone)
            {
                var aUser;

                aUser = inUsers[inUsername];
                if(!aUser)
                {
                    inDone(null);
                }

                if(aUser.userName === inUsername)
                {
                    inDone(null, aUser);
                    return;
                }

                //failed
                inDone(null);
            }
        );
    }
};
GochoMugo commented 9 years ago

I tried to recreate this case but i could not. Off the top of my head, I would suggest you try ensure that passport.session() is called somewhere*.

And please add a return to the first inDone(null) in inPassport.deserializeUser. You end up throwing an error in the following if(aUser.userName === inUsername) should aUser be undefined. The error would look like this:

TypeError: Cannot read property 'userName' of undefined