Cookieless Session

[npshubh]

How can we implement cookie-less session in express js? Express-session provides a way to maintain session using cookies but what if we try to use express-session without cookies? Is there any way to achieve that?

[dougwilson]

You could just call the get and set methods on your store object directly.

[npshubh]

can you give me an example for that? How I'm supposed to do that?

[dougwilson]

So when you create the store object using your chosen store module, that module has various methods to interact with it like get, set, and more. Depending on how you're going to handle management of sessions without cookies, you would interact with the store module. This module is basically a "cookie adapter" for all the various stores. You would need to implement your own adapter over the stores to provide the functionality you're looking for.

[npshubh]

@dougwilson , when another user requests login using API, the first session stored in database is getting updated. So I'm losing session of previous user who was logged in using API. I'm unable to insert new session for each login request.

I can write custom code to achieve that but it worths to ask you if this library consists some logic to operate on such kind of scenario?

[dougwilson]

Hm, I've never seen that happen here. It would be a big bug for sure. Can you help me reproduce the issue? I can take a look. Please provide all the following:

1. Version of Node.js
2. Version of this module
3. Complete server code that reproduces the issue
4. Instructions on how to get the server running if it is more than copy and paste your provided code
5. Instructions on how to reproduce in tge browser. Usually (1) go to this address (2) click this link, etc.

Thanks!

[npshubh]

Node :- v9.2.1
"express-session": "^1.15.6",

Code is on my localhost so I can't show you but I can explain you the process -

1. I've used following code to setup

app.use(session({
secret: "test",
cookies: { maxAge: 600000,httpOnly: false },
saveUninitialized: false, // don't create session until something stored
resave: false, //don't save session if unmodified
store: new MongoStore({
mongooseConnection: mongoose.connection,
autoRemove: 'interval',
autoRemoveInterval: 10
})
}));

2. Now whenever a user "A" calls API "locahost/#" I'm setting a token "req.session.token = 'secret_token'; " and I get data in my mongodb database. Till now everything is fine, we have successfully created a session for user "A".

3. Now when another user "B" calls API "locahost/#" and tries to login, then session of user "A" gets updated. So if user "A" tries to login using his token, then I can't find that in db and user "A" is not able to login.
   What I wanted is to create different sessions for multiple users but I ended up with updating the same session.

This library seems to work fine with browser login but not working with API logins.

Hope now you've understood the problem.

[dougwilson]

I kinda follow, but not sure why that is happening in your code. I would love to attach a debugger and walk though it and see what is going on, if you're willing to provide the requested information. If not, I'm not sure how I can figure out what is happening.

[npshubh]

gateway.zip
here's the code.

[dougwilson]

Awesome, thanks! I just got to bed, so will check it out when off work tomorrow night (approx in 20 hours).

[dougwilson]

(I also have the issue open and labeled in case someone else has time to look sooner)

[npshubh]

@dougwilson thanks for your help.

[npshubh]

Hi @dougwilson, any update?

[dougwilson]

I haven't had an opportunity yet. I have the issue open and labeled in case someone else has time to look sooner.

[MatehElismar]

It's been a while! What happened?

[HarshithaKP]

@npshubh I am able to understand the problem,I wanted you to clarify the following

1. Can you try with only one user(A), that is log in using API and do something and log out. And again the user(A) should to log in. This is to see whether the session is been deleted immediately
   after user(A) logged out or it remains in database.

2. User(A) logs in, spend some time after logging in. Because as per your session settings, just to check that cookie would have been expired.

3. Can please provide me minimal code to reproduce this issue.

[SimonAM]

Regarding the problem of not being able to store more than one user in the session database. I had a similar problem during testing. It was a mix of misconfigured authentication and me repeatedly sending the same cookie through postman over and over again which bypassed the signin route. 😔

I'm still interested in a solution regarding sessions without cookies. My use case is using session based auth on a react native expo frontend which doesn't support cookies.

• Codedamn on youtube describes the problem and a middleware solution for handling incoming requests. However, Codedamn does not describe how to save the cookie into a header.
• According to an old github question, express session doesn't allow access to the cookie in the response.

1. Have there been any updates to express session in recent years allowing access the cookie before the response is sent (thereby allowing the cookie to be put in a header)?
2. Is there any other known way of putting the cookie in the headers?

[SimonAM]

I created an ugly and temporary solution.

In express-sessions/index.js, in the session function i add the option replaceCookieWithAccessToken with a default as false.
In the setcookie function i add a new parameter: isCookieReplacedWithToken taking the above option as an argument. I then add an if-else statement in the setcookie function:

  if(isReplaceCookieWithToken){
 	res.setHeader('X-Access-Token', header)  
 } else {
 	 res.setHeader('Set-Cookie', header)
 }

This seems to work, but i really have no idea if it breaks some other part of the code. If there are no other alternatives for creating cookieless sessions i hope someone could integrate a similar solution into the project.

[ultimate-tester]

This is the same as #161 right?