after login or signout will lost session and secureCookies true will loop login page.

[bookyo]

after login or signout will lost session and secureCookies true will loop login page.

bug one: after login or signout will lost session.

my code:

const increaseCount = async (_, { id }, { req, authedItem, authedListKey }) => {
  const list = keystone.lists.Video;
  const video = await list.adapter.findById(id);
  await list.adapter.update(video.id, {
    counts: video.counts + 1
  })
  const viewcounts = req.session.viewcounts;
  const date = new Date(new Date().toLocaleDateString()).getTime();
  console.log(viewcounts);
  if(viewcounts) {
    if(viewcounts.date == date) {
      req.session.viewcounts = {
        date: date,
        counts: viewcounts.counts + 1
      }
    }
  } else {
    req.session.viewcounts = {
      date: date,
      counts: 1
    }
  }
  return {
    id: video.id
  }
}
keystone.extendGraphQLSchema({
  mutations: [
    {
      schema: `increaseCount(id: ID!): Video`,
      resolver: increaseCount,
    }
  ]
})

i expect viewcounts in req.session will keepalive.
undefined
{ date: 1574006400000, counts: 1 }
{ date: 1574006400000, counts: 2 }
{ date: 1574006400000, counts: 3 }
{ date: 1574006400000, counts: 4 }
{ date: 1574006400000, counts: 5 }

this is right way。 but when i login will lost req.session.viewcounts.
console will show:

undefined
{ date: 1574006400000, counts: 1 }
{ date: 1574006400000, counts: 2 }
{ date: 1574006400000, counts: 3 }
{ date: 1574006400000, counts: 4 }
{ date: 1574006400000, counts: 5 }
undefined

see，after i use mutation authenticateUserWithPassword()，req.session.viewcounts will become undefined。i think there's something wrong in req.session.

bug two:

with reverse proxy set secureCookies true, and https url cant into adminui, will loop in login page.

[bookyo]

Session {
  cookie: {
    path: '/',
    _expires: 2019-12-18T05:56:23.896Z,
    originalMaxAge: 2592000000,
    httpOnly: true,
    secure: false
  },
  keystoneListKey: 'User',
  keystoneItemId: '5dc3ebce17607c30052d27aa',
  audiences: [ 'admin' ],
  viewcounts: { date: 1574006400000, counts: 3 }
}

after mutation authenticateUserWithPassword() or unauthenticateUser() will reset session.

Session {
  cookie: {
    path: '/',
    _expires: 2019-12-18T05:56:47.871Z,
    originalMaxAge: 2592000000,
    httpOnly: true,
    secure: false
  }
}

[bookyo]

theres a solution，store data in mongodb and use node-schedule clear data everyday.

[MadeByMike]

@bookyo Regarding the first issue here, when you login a new session is created. All the data will be cleared and this is expected. The session is probably not the right place to store data. Consider using the database or creating a custom cookie.

The configuration of a reverse proxy and cookies can be difficult. I'd say you have a miss configuration somewhere as we've got this working on a number of large scale production sites. I've been chatting with the team about what we can do to make configuration and deployment in these situations easier.

[molomby]

The second bug you mention...

with reverse proxy set secureCookies true, and https url cant into admin ui, will loop in login page.

Is related to the secure cookie/proxy issue discussed in (#1887).

It's is a complex topic that cuts across Keystone's internals, project code, deployment config and browser behaviour. I've written up what I know here: Keystone 5: Secure Cookies and Reverse Proxies

The TL;DR is that you should ensure...

• Connections between the browser and the proxy are secure (ie. over HTTPS)
• The proxy is configured to add a X-Forwarded-Proto header to requests
• Keystone's Express server is configured to trust the proxy (ie. trust proxy is set)