valery-barysok
commented
4 years ago @scottc385, Could you provide example code to reproduce it?
Open scottc385 opened 4 years ago
valery-barysok
commented
4 years ago @scottc385, Could you provide example code to reproduce it?
scottc385
commented
4 years ago I do not have time today to make a working example, but I will post the pertinent parts of my code:
const session = require('express-session'); var fileStore = require('session-file-store')(session); app.use(flash()); app.use(session({ // File store 1.5.0 was not working, would not update the session file after authenticated !!! // Went back to version 1.40 store: new fileStore({ttl:31*86400, retries: 3}), secret: "secret", resave: false, saveUninitialized: false, cookie: { maxAge: null } })); app.use(passport.initialize()); app.use(passport.session());
Note: I also tried every combination of resave, saveUninitialized & rolling settings, but it did not help.
passportConfig.js attached
scottc385
commented
4 years ago Also, it was the LocalStrategy that was failing. The JsonStrategy was working. I also commented out the JsonStrategy and the problem still existed.
lanly-dev
commented
3 years ago My app also has the session not updating problem with the 1.5.0 version. It turned out 1.4.0 does that sometimes too but not that noticeable. Rolling express-session from 1.17.1 back to 1.9.0 or this package to 1.3 seems to fix my app's bug.
SuecoMarcus
commented
3 years ago Same problem here!
I've been working for hours trying to find out why my login page wasn't functioning.
I switched to 1.4.0 and voila! The login is working again.
mcaralp
commented
3 years ago I think the problem comes from the write-file-atomic module. The writeFileAtomic() function is used to save the session, but it takes a really long time, and occasionally the session is saved after the browser has reloaded the web page. A solution is to manually save the session, something like that:
app.post('/login', (req, res, next) => {
const callback = (err, user, info) => {
if (!user) return next(err)
req.logIn(user, (err) => {
if (err) return next(err)
req.session.save(() => {
req.redirect('/')
})
})
}
passport.authenticate('local', callback)(req, res, next);
})This will ensure that the session is saved before the webpage is reloaded.
Codelica
commented
3 years ago @mcaralp thanks for the tip!
This seems to amount to a frustrating race condition when network times are quick compared to file write times. Using oAuth strategies with redirects it gets hard to pinpoint. Manually forcing the session to save (as above) in the verify callback works, but it does make me wonder about session changes between other quick calls once logged in though. I guess in a perfect world it would be nice to have the option of in-memory sessions that are (lazily) file backed, although I guess that starts to get into Redis territory. :)
I updated my working app from 1.4.0 to 1.5.0 and could no longer log in. Investigated the issue and found the session json file was not being updated with the 'user' object. Sequence:
1) First GET creates session with no 'user' 2) POST /login authenticates correctly, serialize function is being called, but the session json file is NOT updated. 3) Next GET does not auth because of the missing 'user' object
Going back to 1.4.0 solves the issue.
Also, I noticed that if I delete the session file between steps 1 & 2, it creates a new session files is created with the user object.
Also, also, just by chance I found that if I the client POSTs two times very quickly (or while I am stepping through the debugger) the session file is updated correctly.