session not kept between http callbacks

[coolaj86]

I don't know if this is a bug in connect.session or connect-auth or if I've got something setup wrong, but it seems that req.session is replaced with a new session between the time I begin the oauth process and I get the calback.

My example is here:
https://github.com/coolaj86/node-oauth2-examples

[ciaranj]

I'm struggling to get your example to run :( I"ve tried following the instructions but it complains about being unable to find the provider. If I try and run the provider it complains about being unable to find connect. Before I move forward, should I be looking at 'master' ?

[ciaranj]

K. Up and running, If I re-enable 'trace' in your consumer app, and hit http://localhost:7788/login I see the following trace output (included:

looking at /login
oauthCallback undefined
21:06:09-388 [h76mJV] (email,birthday) >>> Authenticating (localhost:7788/login)
21:06:09-388 [h76mJV] (email,birthday) *** foo: Attempting authentication with: foo
looking at that.authenticate /login /
http://localhost:7788/_oauth/_foo_callback
assigning req.session.sessionRedirectUrl /login
getAuthorizeUrl http://localhost:4455/oauth/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A7788%2F_oauth%2F_foo_callback&scope=&client_id=1&type=web_server
21:06:09-389 [h76mJV] (email,birthday) *** foo: Redirecting to: http://localhost:4455/oauth/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A7788%2F_oauth%2F_foo_callback&scope=&client_id=1&type=web_server
21:06:09-390 [h76mJV] (email,birthday) *** foo: Tested all strategies
21:06:09-390 [h76mJV] (email,birthday) <<< Authentication ongoing (Requires browser interaction)
stuck in the weird state?

The bit in the square bracket h76mJV is (part of) the session id for the request, it doesn't seem to be chaning, looking at the browser it would seem that it leaves your consumer (correctly) and gets stuck in the provider, the provider does not appear to be re-directing back to your callback url on the consumer ?

[coolaj86]

here's the 120 second explanation: http://youtu.be/u_gmnmvP2ts

I turned on trace and investigated further. I see that the session id in the trace is the same, but I can't access the session variable that I set.

Before I contact the provider I set the variable like so

req.session.oauthCallback = req.query.oauthCallback;

And then later when I get it it's undefined

console.log(req.session.oauthCallback);

[coolaj86]

Hmmm... senchalabs/connect#763

[ciaranj]

Hmm, one thing that strikes me is that sometimes the urls printed out are http://localhost:7788 and sometimes they're http://0.0.0.0:7788/ if these are real urls from the browser then they (possibly) will be using different cookies, so possibly the session identifier is not being re-sent. Tracing should show this visibly.

[coolaj86]

I noticed that last night as well and I tested making sure that in the browser everything was localhost instead of 0.0.0.0 and still no dice.

However, I started thinking that maybe the problem was generally localhost, so I edited /etc/hosts to have provider.example.com and consumer.example.net and now it works differently.

As far as I can tell the sessions are separated by hostname only, not by hostname + port. The issue I was experiencing I'm fairly certain is an issue with connect.session.

[ciaranj]

Odd, on the clientside cookies are definitely partitioned including the port.

[ciaranj]

Hmmm actually, that may not be correct, according to: http://stackoverflow.com/questions/1612177/are-http-cookies-port-specific 'it depends' ;)

[coolaj86]

Well, I just tried again in an incognito window just to make sure I wasn't suffering cache / cookie weirdness, but same behavior. localhost is definitely broken. example.com / example.net works.

[ciaranj]

weird, don't think thats anything on the connect-auth side I'm afraid, closing for now :)