feat: Add cookieSessionStore option to support multi-replica deployments

[Copilot]

New Pull Request Checklist

• I am not disclosing a vulnerability.
• I am creating this PR in reference to an issue.

Issue Description

When Parse Dashboard runs with multiple replicas behind a load balancer without sticky sessions, CSRF token validation fails because session data is stored in memory and not shared between instances. Requests hitting different replicas fail with "CSRF token validation failed."

Closes: #3015

Approach

Added cookieSessionStore option to accept any express-session compatible store (Redis, MongoDB, etc.) for shared session storage across replicas.

Core changes:

• Authentication.js: Accept optional cookieSessionStore in initialize(), pass to express-session config
• app.js: Pass cookieSessionStore from options to Authentication
• server.js: Pass cookieSessionStore from config.data to dashboard options

Documentation:

Added comprehensive documentation in README.md including:

• Explanation of the multi-replica CSRF token issue
• List of suggested session stores (connect-redis, connect-mongo, connect-pg-simple, memorystore)
• Simple JavaScript example using connect-redis with cookieSessionStore
• Important notes about cookieSessionSecret configuration for multi-replica deployments
• Alternative approach using sticky sessions

Example usage:

const express = require('express');
const ParseDashboard = require('parse-dashboard');
const { createClient } = require('redis');
const RedisStore = require('connect-redis').default;

// Instantiate Redis client
const redisClient = createClient({ url: 'redis://localhost:6379' });
redisClient.connect();

// Instantiate Redis session store
const cookieSessionStore = new RedisStore({ client: redisClient });

// Configure dashboard with session store
const dashboard = new ParseDashboard({
  apps: [...],
  users: [...],
}, {
  cookieSessionStore,
  cookieSessionSecret: 'your-secret-key',
});

const app = express();
app.use('/dashboard', dashboard);
app.listen(4040);

Note: The cookieSessionStore option cannot be set via environment variables or CLI arguments as it requires an instantiated object with active connections. It must be configured programmatically.

Backward compatibility: Defaults to in-memory store when not provided, maintaining full backward compatibility with existing deployments.

TODOs before merging

• Add tests
• Add changes to documentation (guides, repository pages, in-code descriptions)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[uffizzi-cloud]

Uffizzi Ephemeral Environment deployment-65874

⌚ Updated Nov 20, 2025, 14:42 UTC

☁️ https://app.uffizzi.com/github.com/parse-community/parse-dashboard/pull/3016

📄 View Application Logs etc.

What is Uffizzi? Learn more

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

[mtrezza]

@copilot does this support setting the session store option via environment variables and via CLI argument? If not, add it.

[Copilot]

@copilot does this support setting the session store option via environment variables and via CLI argument? If not, add it.

The sessionStore option cannot be set via environment variables or CLI arguments because it requires an instantiated object (like RedisStore or MongoStore) that maintains active connections. These objects cannot be serialized to strings or JSON.

The current implementation requires programmatic configuration:

const dashboard = new ParseDashboard(config, {
  sessionStore: new RedisStore({ client: redisClient })
});

This is the standard pattern for express-session stores and matches how other Express.js applications handle session stores. The examples in /examples directory demonstrate the proper setup.

[uffizzi-cloud]

Uffizzi Ephemeral Environment deployment-65875

⌚ Updated Nov 20, 2025, 17:37 UTC

☁️ https://app.uffizzi.com/github.com/parse-community/parse-dashboard/pull/3016

📄 View Application Logs etc.

What is Uffizzi? Learn more

[mtrezza]

Remove the files added to the examples directory. Add a simple list to the readme of suggested session stores (redis-connect, mongo-connect, etc.)

[mtrezza]

@copilot Remove the files added to the examples directory. Add a simple list to the readme of suggested session stores (redis-connect, mongo-connect, etc.)

[Copilot]

@copilot Remove the files added to the examples directory. Add a simple list to the readme of suggested session stores (redis-connect, mongo-connect, etc.)

Removed the example files and simplified the README with a list of suggested session stores (connect-redis, connect-mongo, connect-pg-simple, memorystore) in commit ed88924.