15

On our ExpressJS application, when pushed to production server, the passport session gets mixed up at random times. At random, the page can load the view of another user even when I did not log out of my session. Without doing anything else, another refresh will bring me back to my own account (at random too).

This phenomenon is happening to two of our web applications coded by two separate users following the Passport guides on their website. Both web apps use Facebook connect/API.

This happens on both Redis and File session stores. I saw a post about using global variables: we are sure we use local scope only.

Is there something that we are doing wrong?

Update v1

On one app, we implemented the following for the serialize/deserialize for Passport:

passport.serializeUser(function(user, done) {
    done(null, user);
});

passport.deserializeUser(function(obj, done) {
    done(null, obj);
});

The other, we have also tried:

passport.serializeUser(function (user, done) {
  done(null, user);
});

passport.deserializeUser(function(user, done) {
  User
    .where({id: user.id})
    .fetch()
    .then(function (user) {
      done(null, user);
    }, function (err) {
      done(err, user);
    });
});

Either way, the app stills have its session mixed up.

Update v2 This error only happens when multiple users are logged in to the server and are using concurrently. It does not occur when only 1 person is using the system.

Update v3 It seems that the problem might be caused by Amazon AWS since some of the "wrong user" page requests are not reaching the NodeJS app at all (verified by console.log).

Community
  • 1
  • 1
mauris
  • 42,982
  • 15
  • 99
  • 131
  • 1
    How are you serializing/deserializing the user? Each request will come from the client with the `user` property set to whatever you serialized the user as when registering the session. – Purag Aug 31 '15 at 09:35
  • thanks @Purag, I have updated the question with our serialize/deserialize code. both are found on working examples everywhere. – mauris Aug 31 '15 at 12:08
  • The apps aren't using `app.locals` where they should be using `res.locals` instead, by any chance? – robertklep Sep 02 '15 at 10:09
  • @robertklep - nope we either only use `res.locals` or don't use it at all. The `req.user` provides a different user than expected. – mauris Sep 03 '15 at 00:03

1 Answers1

4

The problem seems to be caching caused by ExpressJS, not PassportJS session.

We found out that ExpressJS sets the setting view cache to true when in production. By using app.disable('view cache'); in app.js, we disabled cache and seems to have solved the problem.

mauris
  • 42,982
  • 15
  • 99
  • 131
  • 1
    `Simply click the bounty award icon next to each answer to permanently award your bounty to the answerer. (You cannot award a bounty to your own answer.)` as written in [bounty doc](http://stackoverflow.com/help/bounty) – sertsedat Sep 09 '15 at 08:06
  • 1
    400 rep is gone to empty space.. gah :( – sertsedat Sep 09 '15 at 10:10
  • express and passport are sharing the same session. So I still do not understand why caching will cause problems in you case. – derek Oct 26 '15 at 22:21