Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why are s: and hmac necessary in the express session cookie? #220

Closed
jun-gyu opened this issue Mar 27, 2024 · 2 comments
Closed

Why are s: and hmac necessary in the express session cookie? #220

jun-gyu opened this issue Mar 27, 2024 · 2 comments

Comments

@jun-gyu
Copy link

jun-gyu commented Mar 27, 2024

Hi there,

I am trying to share sessions between an Express server and a PHP server using Redis. However, I am having difficulty sharing sessions due to cookie issues.

When Express creates a cookie for the session ID, it appends the string s: and an hmac to the session ID. On the other hand, PHP only stores the session ID in the cookie.

Is there a way to prevent Express from appending s: or hmac to the session ID in the session configuration? Why are s: and hmac necessary in the cookie?

Thank you for your time.

// express session cookie
's:j-MTzbHSoR44LXKerNC7VIoewdPyzZSv.9mwpZVmRlDQS4yMcqUw10Vvb1x7jmlsiN/x3zZI/uoU'

// php session cookie
'ddoudcat5r5n2on95if58flqb4'

// express redis session code
const express = require('express');
const session = require('express-session');
const cookieParser = require('cookie-parser');
const ioredis = require('ioredis');
const redisStore = require('connect-redis').default;

const app = express();

const prefix = 'PHPREDIS_SESSION:';
let sessSetting = {
	store: new redisStore({
		client: new ioredis({
			host: REDIS_HOST,
			port: REDIS_PORT,
		}),
		prefix,
	}),
	name: 'cookieName',
	secret: SESS_SECRET,
	resave: false,
	saveUninitialized: true,
	cookie: {
		maxAge: 3600000, 
		httpOnly: true,
		secure: true,
		domain: '.pljec.cloud',
	},
};

app.use(cookieParser(global.SESS_SECRET));
app.use(session(sessSetting));
module.exports = app;
 
@wesleytodd
Copy link
Member

It has been a while since I have looked at that package, but IIRC those are added using secure cookies and the point is so the middleware can know it should and then check the it's integrity. I would recommend using just one things to create and manage sessions, so maybe you could have the php side make an api request to validate the session and/or fetch it's data from redis?

@wesleytodd
Copy link
Member

Ah I hit send early. I should have mentioned that we don't really offer technical support here. This discussions repo is more about the project discussing direction, feature work, and bugs fixes. You might want to ask on a place like StackOverflow or Reddit where more people are there to share opinions and help out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants