4

My express app uses PassportJS for storing auth session but it creates a ridiculous number of keys in the redis store and all the keys look the same:

"{\"cookie\":{\"originalMaxAge\":null,\"expires\":null,\"httpOnly\":true,\"path\":\"/\"},\"passport\":{}}"

They do have a TTL but the store is growing in size for no good reason. Any idea why these are being created? My keys looks like:

"sess:8R3A-k6dARJvxXFdAXr5nTG7MeC7JTxb"
"sess:s4VYC-k-nmfSf7n-qGQJimFmt30EYNDp"
"sess:BS7WO92Nyl5R0wAbJ-Vo9o8w1apu0kp7"
"sess:0B1AKS6-MCclPvOXV0nlvNio8U8fxyQO"
"sess:v0UWf60LMwKmMVZgo4RWumX313yPsiD0"

If I just eyeball it, roughly around 10 keys are being created every second or two.

This is how my session code looks:

var express = require('express'),
    ....
    session = require('express-session'),
    redisStore = require('connect-redis')(session);

...
    app.use(express.static(path.resolve('./public')));

    //Redis
    var redisClient = redisHelper.init();

    app.use(session({
        secret: '...',
        store: new redisStore({
            client: redisClient,
            ttl: 86400
        }),
        resave: false,
        saveUninitialized: false,
        cookie:{maxAge:86400}
    }));

    //Passport
    app.use(passport.initialize());
    app.use(passport.session());
...

Redis init function returns an instance of a redis client:

exports.init = function () {
    redisClient = redis.createClient(config.redis.port, config.redis.server, {});

    redisClient.auth(config.redis.auth);

    redisClient.on('error', function (error) {
        //TODO: log the error
        winston.error('Error while talking to Redis', {message: error});
    });

    return redisClient;
};
mithun_daa
  • 4,334
  • 5
  • 38
  • 50
  • I take it you are actually getting traffic hitting the app, and you assume the app is making more than one session per user, is this right? – Ash Jan 27 '16 at 17:41
  • It is getting some traffic, very little actually. – mithun_daa Jan 27 '16 at 17:43
  • The session/store looks Ok, it might be useful to add `redisHelper.init()`'s code to your question too. Have you tried adding the user's IP for each session to see if it's just one user creating a bunch of sessions? – Ash Jan 27 '16 at 18:29
  • @AshleyB what do you mean by adding user's IP? do you mean log it to the console? – mithun_daa Jan 27 '16 at 18:49
  • add the users IP to the session for each request (middleware), that way you'll be able to tell if it's just one user or not. – Ash Jan 27 '16 at 18:56

0 Answers0