search

koajs / generic-session

koa session store with memory, redis or others.
MIT License
414 stars 65 forks source link

The header contains invalid characters #96

Closed nallown closed 8 years ago

nallown commented 8 years ago

Edit: Found the problem! https://github.com/koajs/generic-session/issues/96#issuecomment-234743407

When running:

this.session.count = 12

This exception gets thrown:

  koa-generic-session set error: The header content contains invalid characters
      at ServerResponse.OutgoingMessage.setHeader (_http_outgoing.js:351:13)
      at Cookies.set (..project\node_modules\cookies\lib\cookies.js:100:13)
      at Object.options.sessionIdStore.set (..project\node_modules\koa-generic-session\lib\session.js:93:20)
      at Object.saveNow (..project\node_modules\koa-generic-session\lib\session.js:283:26)
      at next (native)
      at onFulfilled (..project\node_modules\co\index.js:65:19)
      at process._tickCallback (node.js:369:9)

These are the modules that I used:

koa v1.2.0
koa-generic-session v1.11.1
koa-router v5.4.0

Can be reproduced with the following application:

'use strict'

const koa = require('koa')

const router  = require('koa-router')()
const session = require('koa-generic-session')

const app = koa()

app.keys = ['key']
app.use(session())

router.get('/', function* () {
    this.session.count = 12
    this.body = 'test'
});

app.use(router.routes())

app.listen(3000)
console.log('listening on port 3000')
nallown commented 8 years ago

Looks like that it was a issue with the newer versions of node. It works fine with version 4.2.6 of node.

It might be worth checking out this change https://github.com/nodejs/node/commit/cf2b714b02 to add support for newer versions of node.

Edit: As a temporary solution you can run the node application with --security-revert=CVE-2016-2216

dead-horse commented 8 years ago

what version of node are you using?

nallown commented 8 years ago

@dead-horse version 4.4.7, anything beyond 4.2.6 doesn't work.

dead-horse commented 8 years ago

I can't reproduce this problem.

The default session id is generated by uid-safe which I think won't contains invalid http herder characters ?

nallown commented 8 years ago

strange, I'll test it in a clean node environment and see whether that works. I'll update you when I'm done.

nallown commented 8 years ago

Works fine in a new environment. I think it might be one of the installed modules interfering with it. Kind of strange how they're interfering even though they're not being loaded or touched at all though. They're just installed. I'll go through the node modules that I've got installed and will figure out which one it is.

nallown commented 8 years ago

Updating koa to version 1.2.1 and koa-generic-session to version 1.11.3 fixed it.