New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add port to cookie name to differentiate multiple servers on same domain #95
add port to cookie name to differentiate multiple servers on same domain #95
Conversation
Signed-off-by: Todd Wellman <twellman@rocketsoftware.com>
lib/webapp.js
Outdated
@@ -533,6 +533,7 @@ function WebApp(options){ | |||
this.expressApp.use(cookieParser()); | |||
this.expressApp.use(session({ | |||
//TODO properly generate this secret | |||
name: 'connect.sid.' + options.httpsPort, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not 100%.... it's possible for someone to have enabled http and disabled https (though discouraged).
Instead, check if https ISNT being used. If it isn't, use http. If both are being used, you can still use https since you have to choose only 1.
Signed-off-by: Todd Wellman <twellman@rocketsoftware.com>
lib/webapp.js
Outdated
let port = options.httpsPort; | ||
if (!options.httpsPort) { | ||
port = options.httpPort; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better way to do this is:
const port = options.httpsPort ? options.httpsPort : options.httpPort;
Allows use of const for read-only, and also does not need reassignment.
Signed-off-by: Todd Wellman <twellman@rocketsoftware.com>
Signed-off-by: Todd Wellman <twellman@rocketsoftware.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup - tested in the following ways
- If I login to two servers in 1 browser, does one get logged out?
- If I do REST requests to either, is one logged out?
- If I log out of one, am I logged out of the other?
- If I did log out, do I get 401s on one but not on the other?
Behavior seems correct now.
Signed-off-by: Todd Wellman twellman@rocketsoftware.com