Session middleware fails to add session when request contains absoluteURI #762

Closed
jwalton opened this Issue Mar 13, 2013 · 1 comment

Comments

Projects
None yet
2 participants
@jwalton

jwalton commented Mar 13, 2013

When using the Session middleware, if we send in a GET request where the Request-URI is an abs_path:

GET /dostuff HTTP/1.1
host: myserver.com

Then the middleware will correctly add the session. If, however, we use the absoluteURI version of Request-URI:

GET http://myserver.com/dostuff HTTP/1.1
host: myserver.com

then session will fail to create/add the req.session object. The problem is in lib/middleware/session.js:

// pathname mismatch
if (0 != req.originalUrl.indexOf(cookie.path || '/')) return next();

This fails, since "http://myserver.com/dostuff" doesn't start with a "/".

It is a little unusual for a web browser to send the absoluteURI form of a Request-URI, however as the spec says:

To allow for transition to absoluteURIs in all requests in future versions of HTTP,
all HTTP/1.1 servers MUST accept the absoluteURI form in requests, even though
HTTP/1.1 clients will only generate them in requests to proxies.

We should be checking for an absolute URL and parsing out the path portion.

@lpinca

This comment has been minimized.

Show comment Hide comment
@lpinca

lpinca Mar 17, 2013

Confirmed.
In this gist i put a simple test case.
If request path is an abs_path the session works fine, but if it is an absoluteURI the session is not added.
I believe that cookieSession has the same problem.

lpinca commented Mar 17, 2013

Confirmed.
In this gist i put a simple test case.
If request path is an abs_path the session works fine, but if it is an absoluteURI the session is not added.
I believe that cookieSession has the same problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment