Logging in to one Express app destroys session in other (same server)

Question

I have two separate Express 4.x apps running on the same server machine (different ports), sharing a MongoDB instance. They both use different databases and have different session secrets.

I am able to log into application A or B individually without issue. My session is maintained and all is well. However, if I am logged into A and then log into B, my session in A is destroyed (and vice versa).

Both applications have near-identical local auth. Their serializeUser and deserializeUser is very primitive (following the Passport docs almost to the tee).

It seems that when logging into A then B, req.session.passport is destroyed, causing req.user to not serialize properly on app A and the session is considered invalid.

I'm starting to think it has to do with the fact both apps run on the same machine (thus domain), differing only by a port.

I think your are using same session cookie name in both application. Make both with different name and hope all would be well. — Vikash Kumar, Apr 29 '16 at 14:07
@VickyR How do I define the session cookie name? Is there a property in one of the configuration options? — Erik, Apr 29 '16 at 14:08

score 3 · Accepted Answer · answered Apr 29 '16 at 14:31

express-session : Simple session middleware for Express in Node.js. To use this you have to include this package like this.

var session = require('express-session');

To install this package, run the following command:

$ npm install express-session

How to use this in Express, following code is given:

app.use(session({
  secret: 'secretkey',
  resave: false,
  saveUninitialized: true,
  cookie: { secure: true }
}));

By default, the name of the session ID cookie to set in the response (and read from in the request) is connect.sid. To overwrite this use the following :

app.use(session({
  name: 'cookiename',
  secret: 'secretkey',
  resave: false,
  saveUninitialized: true,
  cookie: { secure: true }
}));

For more reference see this link - https://www.npmjs.com/package/express-session

Note:- Put your express-session statement in your application app.js before app.use(passport.session()) statement.

Hope this will help to solve your query !!

@Erik, I've updated "How to overwrite default cookie name in express session" in answer. — Vikash Kumar, Apr 29 '16 at 14:38

score 0 · Answer 2 · answered Mar 10 '19 at 05:50

const mongoose   = require('mongoose'),
    timestamps = require('mongoose-timestamp');

var Schema = mongoose.Schema;
const Sessions = new mongoose.Schema({
    expires : {
        type : String,
        default : ""
    },
    session : {
        type : Schema.Types.Mixed,
        default : {}
    }
}, { collection: 'sessions' })

Sessions.plugin(timestamps)

module.exports =  mongoose.model('sessions', Sessions);

//require schema
const Sessions = require('sessions');

//remove session by id
Sessions.remove({"session.user._id":user._id}
).exec(console.log)

score 0 · Answer 3 · edited Jun 16 '19 at 01:46

you have to mention the different names for each session in different projects while running at different ports. by default, it will be connect.sid for all projects.

for example:- project A running in port 3000 -
project B running in port 5000 -

while running these projects at the same time by default, they will have the same session name so they will get clashes in the authentication. so you must use different session names for each project.

Logging in to one Express app destroys session in other (same server)

3 Answers3