Passport.js does not work with cookieSession (Express.js)

[eneko89]

I'm using Passport to log in with Facebook or Twitter into my service. Since MemoryStore is not intended for production and I'm not going to store much information into the session, I wanted to use cookieSession, but it doesn't work:

app.use(express.bodyParser());
app.use(express.methodOverride());
app.use(express.cookieParser());
app.use(express.cookieSession({ secret: 'keyboard cat', cookie: {maxAge: 60 * 60} }));
app.use(passport.initialize());
app.use(passport.session());
app.use(app.router);

It works as expected if I repace cookieSession() with session():

app.use(express.session({ secret: 'keyboard cat' }));

[eneko89]

To reproduce it:

1. Clone passport-facebook.
2. Go to the login example.
3. "npm install" to install dependencies.
4. Edit app.js to insert valid facebook app-id and app-secret.
5. Try it ("node app.js"). It will work as it is (express.session()) but not if you use express.cookieSession().

[MattiLehtinen]

I have this same issue. Did you @eneko89 found any solution/workaround?

[eneko89]

Nope @mlehtinen :(. I still carry on the development with the hope that it will be fixed, cause cookies would be the most appropriate store for my reduced session info... What versions of Express and Passport are you using?

I'm not really sure if its Connect's or Passport's fault... :S.

[jaredhanson]

I'd love to see a pull request, if you can investigate :)

[eneko89]

So you confirm that it is Passport's issue? Perhaps I was doing something wrong, didn't know...

I'll see if I can do something about it.

[jaredhanson]

No. I haven't had time to investigate, so I don't know if it is Connect or Passport. If it is Passport, I'd love a pull request. And if its not, I'm sure Connect would appreciate one!

[eneko89]

SOLVED! :D

It was my fault, nothing to do with passport. I was provisionally serializing full facebook profile into the session (like you did in the passport-facebook project's example), without taking into account that it doesn't fit into a cookie! That's why it was working using the default MemoryStore and failing with cookieSession. It works as expected if you serialize less information.

Hope it helps, @mlehtinen :).

[pateljatin]

this is the issue I'm having - I changed it to session and it works ok.

[1st]

Guys, I am sorry. But I don't understand what different between cookieSession and session? As I see, only firs one described in API. but in examples used second one. Is session() is outdated version of "cookieSession()" ❓
Thanks 👍

[AndrewRademacher]

The question about what is different between the session() and cookieSession() is best described here

[sriram-dev]

I have a problem where in the while doing a logout (req.logout() and req.session.destroy() ) , i still see req.user being populated with values of previous session. Any idea why that would happen ? More details here http://stackoverflow.com/questions/25217295/passport-connect-mongo-logout

[AndriesDemeulenaere]

Did you by any chance resolve this issue, sriram-dev? I've been stuck on this problem for a while.

[leona-ya]

@jaredhanson I think this issue can be marked as closed

[sasos90]

I have the problem only when testing with Jest (Supertest agent). Anyone?

[mitchellporter]

This still seems to be an issue. Unfortunately I don't have time to isolate and test right now but I don't think this is as simple as trying to write too much data to the cookie. I keep running into an issue where it wants to deserialize the user despite the fact that the user doesn't exist yet. Replacing cookie-session with express-session fixes the problem.

Will hopefully have more time to figure out what's wrong soon and then I'll report back.