express-session loses session when app runs into error

[akamensky]

I ran into this issue while writing app that utilizes express-session package with redis as session storage.

In short - if app experiences some error that doesn't necessarily affect related session information, the user is magically logged out with his session object being gone from redis. I am not sure whether this is issue of this package, or maybe redis-storage package, or even my code, so I created simple example app that demonstrates this issue. (https://github.com/akamensky/express-session-bug)

To reproduce this issue:

• run this app
• open http://localhost:8080/
• use admin/password to log in
• open http://localhost:8080/test (that will trigger error on server side)
• open http://localhost:8080/

With the sequence above I would expect user to stay logged in at the end but it doesn't happen..

[joewagner]

Unless specifically done in your application's code, session saving is done by proxy of req.end.
What is happening is that your call to Session#regenerate is destroying the session in redis. Then the error occurs before the newly generated session is initially saved –since req.end isn't called–. Two solutions might be:

1. save the session immediately in the regenerate callback
2. Don't regenerate the session on each request, particularly since this creates a race condition if a user makes two concurrent requests from the same client.

I don't think this is an express-session issue, feel free to reopen this if you disagree.