Open oshihirii opened 1 month ago
I think I might have found a solution, atleast when testing in my local environment:
I needed to install cookie-parser
and import it:
import cookieParser from 'cookie-parser';
I needed to add it above the session middleware
I needed to remove the sameSite
and domain
properties and set secure
to false
:
// CORS configuration
const cors_options = {
origin: 'http://localhost:3000', // Replace with your allowed origin(s)
credentials: true, // Allow credentials (cookies, authorization headers, etc.)
};
app.use(cors(cors_options));
app.use(cookieParser());
// session configuration object
const session_config = {
// secret used to sign the session ID cookie
secret: process.env.SESSION_SECRET,
// forces the session to be saved back to the session store, even if it was never modified during the request
resave: false,
// forces a session that is "uninitialized" to be saved to the store
saveUninitialized: false,
// cookie settings
cookie: {
// secure cookie only sent over HTTPS if in production
secure: false,
// maxAge: 2 * 60 * 60 * 1000 // 2 hours in milliseconds, if not set, the cookie will expire when the browser is closed
httpOnly: true,
path: '/'
},
// use connect-mongo to store sessions in MongoDB
store: MongoStore.create({
clientPromise: Promise.resolve(mongodb_client), // use the existing mongodb client
dbName: 'express_sessions', // specify the database name
collectionName: 'express_sessions', // specify the collection name
autoRemove: 'native', // native is the default
// crypto: {
// secret: process.env.SESSION_STORAGE_CRYPTO_SECRET,
// algorithm: 'aes-256-gcm'
// }
})
};
app.use(session(session_config));
I am still testing, but wanted to post back in case it saved someone the time in writing a response.
Obviously, I will need to modify the security related settings for production, but I will look at that next.
The good news is now only 1 session is being created in the MongoDB database.
I'm submitting a ...
[ X ] question about how to use this project
Summary
I've been troubleshooting this issue for several hours and have googled things like:
I can also see that several issues in this repo on the same topic have been resolved and closed.
I have tried all the solutions that others seem to have found resolved the issue, ie:
saveUninitialized
tofalse
sameSite
tonone
cors
and setcredentials
totrue
My initial problem started when I noticed an Azure AD auto-signin redirect back to my application's
/redirect
endpoint was creating a different session than the one that was created during the initial Azure AD B2C signin, and so I could see that two session object entries were added to my MongoDB Atlas database.Then I added some
console.log()
statements to log outreq.session
values and sessions started being created in the database for every request (images, js, css etc).I just thought I would post a chunk of my testing code below to ask if I am doing anything obviously wrong:
I'd appreciate any tips that could lead to a solution.
Thank You.