New session support overwrites my session cookie #177

Closed
goldfire opened this Issue Jan 27, 2012 · 7 comments

Comments

Projects
None yet
2 participants

I'm using Express and connect-redis to do my session store. This has worked fine until v0.8.x was released with the new experimental session support. Generally there aren't problems, but sometimes Now appears to create a new blank session that overwrites the connect.sid cookie, which leads to the user getting logged out.

It might only happen if you reload the page before the Now connection is established because I can usually make it happen by reloading the page twice quickly, but I have seen it happen right after logging in as well.

EDIT: After doing some more testing, this might actually be an issue earlier than 0.8.x.

Contributor

ericz commented Jan 27, 2012

Hmm does it overwrite the cookie itself of the connect session object? Either way I can't imagine what's going on. Any example to show this triggering?

Thanks,
Eric

Okay so I've been doing a lot more testing and it might actually be a socket.io issue. It just overwrites the connect.sid cookie, but the old session is still there. It is creating a new, empty session and just changes the pointer to the session in the cookie.

Contributor

ericz commented Jan 27, 2012

Hmm socket.io has its own cookie, not sure why it'd be messing with
connect.sid

You can also configure the name of the socket.io cookie in its options..
.bizzare

On Fri, Jan 27, 2012 at 12:15 PM, James Simpson <
reply@reply.github.com

wrote:

Okay so I've been doing a lot more testing and it might actually be a
socket.io issue. It just overwrites the connect.sid cookie, but the old
session is still there. It is creating a new, empty session and just
changes the pointer to the session in the cookie.


Reply to this email directly or view it on GitHub:
#177 (comment)

510-691-3951
http://ericzhang.com

What is socket.io's cookie? The only cookie I see set is connect.sid, but I get 2 sessions in redis:

"{"lastAccess":1327695958709,"cookie":{"originalMaxAge":1295999999,"expires":"2012-02-11T20:25:59.106Z","httpOnly":true,"domain":".example.com","path":"/"},"email":"...","pass":"..."}"

"{"lastAccess":1327695954751,"cookie":{"originalMaxAge":14400000,"expires":"2012-01-28T00:25:54.819Z","httpOnly":true,"domain":".example.com","path":"/"}}"

Contributor

ericz commented Jan 27, 2012

Oh you're right. The cookie system I was describing hasn't been in
socket.iosince v0.6 days. Whoops

On Fri, Jan 27, 2012 at 12:31 PM, James Simpson <
reply@reply.github.com

wrote:

What is socket.io's cookie? The only cookie I see set is connect.sid, but
I get 2 sessions in redis:

"{"lastAccess":1327695958709,"cookie":{"originalMaxAge":1295999999,"expires":"2012-02-11T20:25:59.106Z","httpOnly":true,"domain":".
example.com","path":"/"},"email":"...","pass":"..."}"

"{"lastAccess":1327695954751,"cookie":{"originalMaxAge":14400000,"expires":"2012-01-28T00:25:54.819Z","httpOnly":true,"domain":".
example.com","path":"/"}}"


Reply to this email directly or view it on GitHub:
#177 (comment)

510-691-3951
http://ericzhang.com

Contributor

ericz commented Jan 27, 2012

Hmm I don't see why any connect.sid activity should be happening. The
socket.io guys will probably be able to help you more.

Eric

On Fri, Jan 27, 2012 at 12:38 PM, Eric Zhang really.ez@gmail.com wrote:

Oh you're right. The cookie system I was describing hasn't been in
socket.io since v0.6 days. Whoops

On Fri, Jan 27, 2012 at 12:31 PM, James Simpson <
reply@reply.github.com

wrote:

What is socket.io's cookie? The only cookie I see set is connect.sid,
but I get 2 sessions in redis:

"{"lastAccess":1327695958709,"cookie":{"originalMaxAge":1295999999,"expires":"2012-02-11T20:25:59.106Z","httpOnly":true,"domain":".
example.com","path":"/"},"email":"...","pass":"..."}"

"{"lastAccess":1327695954751,"cookie":{"originalMaxAge":14400000,"expires":"2012-01-28T00:25:54.819Z","httpOnly":true,"domain":".
example.com","path":"/"}}"


Reply to this email directly or view it on GitHub:
#177 (comment)

510-691-3951
http://ericzhang.com

510-691-3951
http://ericzhang.com

One thing I'm noticing is that connect creates a two blank sessions and a connect.sid cookie on page load, without any of my code creating a session, which seems like it might be part of the problem, but I can't find anything to suggest if that is the intended behavior or not. Any idea?

@goldfire goldfire closed this Jan 28, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment