Duplicate session cookies issue

[devfans]

I run into the issue: after i cleared the redis session store(or maybe it's not the reason), my browser is alway keeping both of the old session-cookie and the new session-cookie and parse the old one as the session id, which leads to session not found issue.
Here's my session conf:

const sess = {
  secret: "my secret",
  store: new RedisSessionStore(model.redisOption),
  saveUninitialized: false,
  resave: false,
  proxy: true,
  httpOnly: true,
  secure: false,
  signed: false,
  cookie: {
   path: '/',
   domain: config.cookie_domain,
   maxAge: 1000000 * 60 * 24 // 24 hours
  }
};

req data

rawHeaders: 
            [ 'X-Real-IP',
              'x.x.x.x',
              'Host',
              'localhost',
              'Connection',
              'close',
              'Cache-Control',
              'max-age=0',
              'Upgrade-Insecure-Requests',
              '1',
              'User-Agent',
              'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36',
              'Accept',
              'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
              'Referer',
              'http://domain.com:3009/signin.html',
              'Accept-Encoding',
              'gzip, deflate',
              'Accept-Language',
              'en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7',
              'Cookie',
              'connect.sid=s%3AR0UZSPKfGazZ3XWEpRDO6iw56FUceUlP.d62%2B84wbHhoPiBkeeqAz5AdZ%2BKKPe0nuYCwbI%2BP8w8Y; connect.sid=s%3A2gdGwh1wTvpCH5hO4XhZpI3Uo0E_cakr.bC5%2F4JDLpDQOl7YwamEXjc%2B4kgJwWHdLbvz3YOAaTJA' ],

Spent much time on this to try for a fix, and didnt find a solution yet. Hope can find the fix here. Thanks

[joewagner]

Hi @devfans

If you clear the cookies in question, are you still able to reproduce the issue, and if so would you mind posting the steps to do so here?

Is there any chance you changed the value of the cookie config at some point, leaving your browser thinking it should return two cookies with the same value?

Also, could you log the response you are sending that contains the Set-Cookie header that might be responsible for setting two cookies with the same name?

maybe related issue

[devfans]

Hi @joewagner

Thanks for your reply. I am not quite sure how to reproduce this. Basically i set cookie domain as 'localhost' for developing, but also seemed working good if i access it from mydomain.com:3009. However, yesterday i found i failed to login, and after checking around looked like my redis store crashed. Then i restarted redis and still can't login. I assumed my login was missing from the database after redis crashed. Then i flushed redis and re-added my login, but still no luck. Then i modified the cookie domain to ".mydomain.com", no luck either. After some debugging, I found the duplicate session cookies and also found link you mentioned after searching around, yeah seems same issue.

I didnt clear the session-cookie from client side yet, for i didnt find a way to clear cookies from latest Chrome for only one site yet. But i tried to clear the httpOnly cookie from server side, but seems i failed to clear that.

Here's more log i have:

set-cookie:connect.sid=s%3ATD71u-ArHRiWJAviAwMdZWtJkdK1Qki6.Krbicu7JA1Rk7WEFjc%2B5V9NV9IFaQ0UDqps1XLjQlPw; Domain=.mydomain.com; Path=/; Expires=Thu, 01 Feb 2018 16:13:05 GMT; HttpOnly

express-session saving 4TTkL6D5fVTA1jervIT-mLkwQoXv_dwD +13ms
  express-session split response +0ms
  express-session set-cookie connect.sid=s%3A4TTkL6D5fVTA1jervIT-mLkwQoXv_dwD.FXDDor%2BjBU4Ew05BhUAHZ%2FAuEUU3ZcrYaLHxNYRdJJ0; Domain=.mydomain.com; Path=/; Expires=Sun, 18 Feb 2018 08:12:55 GMT; HttpOnly +0ms
  express-session fetching R0UZSPKfGazZ3XWEpRDO6iw56FUceUlP +92ms
  express-session no session found +5ms
  express-session fetching R0UZSPKfGazZ3XWEpRDO6iw56FUceUlP +127ms

Thanks for your help!

[kriscarle]

I also had a duplicate cookie issue and it turned out to be a misconfiguration in the domain setting between multiple API instances (e.g. api/v1 and api/v2) sharing the same domain and datastore.

You will absolutely need to clear the cookies in your browser to get everything going again... or as a quick test use incognito mode. There are a couple ways to find cookies in Chrome without clearing the entire browser, you can go to chrome://settings/siteData or you can open dev tools and go to the application tab. Hopefully that helps :)

[devfans]

I see, seems good now. Thanks for your reply @kriscarle. I guess the issue can be closed for now or there’s the way to avoid duplicate session cookies and will be included into the project.

Thanks

[dougwilson]

Yes, I can close. I have no idea how to avoid them, but if you have ideas on how to accomplish that I'd be very interested seeing how this problem pops up every so often so a solution will save a lot of developer's time.

[Poyoman39]

Linked to :
expressjs/cookie-parser#31
jshttp/cookie#60