express session not saving for Ipad

Question

I am trying to save a session variable for a user when they login. This works on the computer, but when I try it on an iPad using Safari or Chrome it doesn't save.

Here is where I set up my session:

app.set('trust proxy', 1)
app.use(session({
  secret: crypto.randomBytes(20).toString('hex'),
  resave: false,
  duration: 60 * 60 * 1000,
  activeDuration: 10 * 60 * 1000,
  saveUninitialized: false,
  cookieName: 'session',
  cookie: { secure: true }
}))

I use this route to set up the user:

.get('/checkLogin', (req,res) => {
  const loginCred = req.query;
  db.any('SELECT * FROM users WHERE user_name = $1 AND password = $2 LIMIT 1', [loginCred[0], loginCred[1]])
  .then(function (user) {
    req.session.user = user;
    req.session.save();
    res.end(JSON.stringify(user));
  })
  .catch(function (err) {
      throw err;
  })
})

When I console log this, it is getting set properly. Then when I call the session on the return it is not there. I've tried to add the save and that still didn't work. I also added maxage to the session variable to keep it alive for 3 days and it still didn't work.

Can you check what your cookie value? If you are using safari, Safari simply refuses to send any cookie containing non-ASCII characters — DarknessZX, Aug 17 '18 at 05:01
https://mattvanderpol.com/2013/08/14/how-to-debug-javascript-or-css-on-ios/ you can try this if you have a MAC. You can encode your cookie session, it worked for me before though — DarknessZX, Aug 17 '18 at 05:35
@DarknessZX It looks like it isn't browser specific. I tried this on chrome too and still no luck. — BStill, Aug 18 '18 at 01:44
@BStill are you using the most recent versions of both Safari and Chrome on your iPad? — Pieter De Clercq, Aug 19 '18 at 17:58
@thepieterdc The most recent version that a government iPad allows. I believe it is up to date. Chrome is version: `68.0.3440.83`. I believe Safari is version: `11` — BStill, Aug 19 '18 at 18:03
@thepieterdc Also had someone test on their personal iPad and still the same issue. — BStill, Aug 19 '18 at 18:03
did safari access the https:// version of the site properly? — William Chong, Aug 20 '18 at 17:28
@WilliamChong Yah, Chrome too and it still didn't work. I am currently, trying to get `connect-pg-simple` to work. — BStill, Aug 21 '18 at 00:36
I am starting to think, there is something particular with the device, It works on iphone 7/8. — titoih, May 15 '20 at 14:29

melfy · Answer 1 · 2022-10-19T19:44:16.377

You have your cookie {secure: true} which requires a HTTPS connection for the browser to send the session cookie back with the request. However recommended make sure it fits your testing environment, make sure you're using HTTPS on both devices

https://www.npmjs.com/package/express-session#cookiesecure

Also with development or production mode and restarting express after making changes your secret changes after every restart (from using a function [crypto.randomBytes(20).toString('hex')] instead of a static key) causing a client's session ID to be invalid after restart; which shouldn't matter anyway cause you have no persistent sessions setup so any restart will wipe all sessions. If you need persistent sessions check into using memcached, database, or file instead of process memory

https://www.npmjs.com/package/express-session#store

Update 2022-10-19

Sample session using NGINX as front end that I ended up using for my project when I stumbled on this, my node.js/express does not have SSL setup between nginx>node.js and uses upstream.

Have to trust proxy and I ended up removing:

// app.set('trust proxy', 1) // trust first proxy

and added it into the session

let session         = require('express-session');
let memsession      = require('connect-memcached')(session);

let sessionMiddleware = session({
    secret  : config.sessionSecret,
    key     : 'sid',
    cookie: {
        maxAge  : (86400 * 30 * 1000), // 30 days
    },

    proxy   : true,
    resave  : true,
    rolling : true,
    saveUninitialized: true,

    store   : new memsession({
        hosts: ['127.0.0.1:11211'],
        // secret: '_secret_' // Optionally use transparent encryption for memcache session data
    })
});

However I can't be sure if we ever got all older iPads working, we did get mine working and shifted projects

Thanks for the tip. My development and production servers both have HTTPS enabled and when I am on the ipad it loads over HTTPS. And it still doesn't work. I even have `app.set('trust proxy', 1)` because my project is behind a proxy in Production and it still doesn't work. When I get home, I'll set it to `false` to see if it works. — BStill, Aug 22 '18 at 17:35
Try turning off httpOnly? cookie : {httpOnly: false }, also maybe try specifying the domain? — melfy, Aug 23 '18 at 20:38
I know it's been long time since you posted this, but pls can you help me out with your solution, cuz am facing this problem too. @BStill — Paulliano, Sep 25 '22 at 09:52
@Paulliano I left the project before this issue was solved. Unfortunately I was never able to figure it out. It might be best to see if there is another package available for sessions that may solve the issue. We tried adjusting all of the settings and it just never worked for the iPad, but worked for other mobile devices. — BStill, Oct 18 '22 at 07:19

score 0 · Answer 2 · answered Aug 24 '18 at 17:07

0

Try putting resave: true. If it works you might want to change value of saveUninitialized

answered Aug 24 '18 at 17:07

DrEarnest

853
2
13
27

I believe that I had these both set to `true` at one time. I will try it again when I get home though. Thank you for your help – BStill Aug 24 '18 at 17:26

express session not saving for Ipad

2 Answers2

Update 2022-10-19

Linked