1

So I have a Node.js + Express app I can access with a couple of hostnames: example1.com and example2.com (they are not subdomain! I know how to do it if they are subdomains).

I use Express Session with MongoDB Store and passport to manage authentication.

I'd like to use the same session with both the domains but I can't figure out how to do it.

Each time I access the two domains it creates two different sessions and I cannot understand where I could check if the session is already up and use that for both the domains.

Basically this is my current express init file (I removed a lot of things, just to focus on sessions):

'use strict';

/**
 * Module dependencies.
 */
var express = require('express'),
    bodyParser = require('body-parser'),
    session = require('express-session'),
    cookieParser = require('cookie-parser'),
    passport = require('passport'),
    MongoDBStore = require('connect-mongodb-session')(session),
    config = require('./config');

module.exports = function(db) {
    // Initialize express app
    var app = express();

    // CookieParser should be above session
    app.use(cookieParser());

    var store = new MongoDBStore(
      { 
        uri: config.db,
        collection: config.sessionCollection
      });

    // Express MongoDB session storage
    app.use(session({
      saveUninitialized: true,
      resave: true,
      secret: config.sessionSecret,
      store: store,
    }));

    app.use(passport.initialize());
    app.use(passport.session());

    return app;
};

Any hint?

michelem
  • 14,430
  • 5
  • 50
  • 66
  • you mean on the server side store is duplicating the data for both the domains? – prasun Nov 26 '15 at 15:00
  • I mean if you access this app from 2 different domains it creates/stores 2 different sessions one for each domain and I don't want this. – michelem Nov 26 '15 at 15:17
  • Could it be [this solution](http://stackoverflow.com/questions/19104292/express-session-with-different-cookie-domain-per-request) – Sami Nov 26 '15 at 15:49
  • @Sami this is about how to use different session stores for different domains in same app, it won't avoid duplication or re-generation of new Ids? – prasun Nov 26 '15 at 15:55
  • @Michelem have you found a good solution to your two domain issue? I have the same question :-) – karlkurzer Jun 12 '16 at 17:07

1 Answers1

0

IMO the only way to do that is, if you are able to figure out on server side that the request is coming from the same browser/machine. Because, browser would not the share the session Id cookie(as the requests are for two different domains) and on server you would think it of as a new request for session, and you would always grant a new sessionId to the client.

If you really want to have single session store, I recommend writing your own session store with the below idea:

Firstly, don't use cookies for session, and use browser's localstorage and sign the sessionId from the server that needs to be stored on the client, which protects it from being tampered. This session Id would be included in the requests using your AJAX and client-side JS in each requests acting as a sessionId cookie.

Secondly, Open an iframe of the other domains when ever a domain is opened, let say if example1.com is opened you should open an iframe of example2.com and vice-versa. In your iframes write code to send signed localstorage information back to parent frame using window.postMessage() Since, you are owner of all the domains you should be able to allow window.postMessage() communication across your domains.

Since, you would receive the same session Id in each request across all domains you can detect unique session across domains and devise session store on server side to store only one entry across domains.

prasun
  • 7,073
  • 9
  • 41
  • 59