A Node.js express session is overwritten by another parallel session

Question

We use express-session library to handle the request sessions. A session sometimes is overwritten by another parallel session.

For example, a Client A accesses our app and generates Session #A. After that, another Client B creates Session #B. Then the client A refresh the same app and find its session is changed as Session #B. In other words, the Session #A has been replaced by Session #B.

Does anyone have experience resolving a similar issue?

Part of my source code is attached below: written in TypeScript. The session config is defined in sess.ts. The store I am using is express-oracle-session.

sess.ts

exports.configSession = () => {
  let oracledb = require('oracledb');
  let session = require('express-session');
  let oracleDbStore = require('express-oracle-session')(session);
  let sessOpts = {
    checkExpirationInterval: 60000,
    createDatabaseTable: true,
    schema: {
        tableName: 'ldap_sessions'
    }
};

return new Promise((resolve, reject) => {
    oracledb.getConnection('oracle_db', (err, conn) => {
        if (err) {
            return reject(err.message);
        }
        let sessionStore = new oracleDbStore(sessOpts, conn);
        let sessConfig = {
            secret: 'ldap secret',
            resave: true,
            saveUninitialized: true, 
            rolling: true, 
            cookie : {
                httpOnly: false,
                maxAge: 1000 * 60 * 60 * 24
            store: sessionStore
        };
        return resolve(session(sessConfig));}
    )});

};

server.ts

let configSess = require('./sess');
let cookieParser = require('cookie-parser');
let bodyParser = require('body-parser');

configSess.configSession().then((sess) => {
    app.use(sess);
    startServer();
});

score 3 · Answer 1 · answered Nov 08 '18 at 03:11

3

Well, you say you're using express-session. That uses a cookie in the browser to keep track of clients. So, the only way I know of that client A and client B get their sessions mixed up is if they are in the same browser. If so, that is working as intended. Each browser gets one session. If you create a session in one window, then create another session in another window, the cookie for the 2nd session will overwrite the cookie from the first window and a refresh in the second window will take on the 2nd session. That is how express-session works.

If you're not using the same browser for both clients, then there's something seriously wrong in your server implementation of express-session and we'd have to see your server-side code to help further with that.

If you want to have two separate sessions in the same browser for separate purposes (e.g. one for an admin login and one for a user login), then you can see here: how to manage multiple session in express js. But, that is not so that you can have two separate clients each with the same type of session and separate sessions operating in the same browser. I don't think that is something that express-session supports. To do that, you'd probably have to use something other than cookies for keeping track of session keys (perhaps the old ?sessionid=xxxxx in every URL, but that has its whole own set of issues which is why it's rarely used any more).

answered Nov 08 '18 at 03:11

jfriend00

683,504
96
985
979

A hint for testing - incognito/private mode have separate sessions from non-incognito/non-private windows. – slebetman Nov 08 '18 at 03:17
@slebetman - Yeah, because incognito mode keeps track of a separate set of cookies, so as not to allow your regular cookies to be polluted by those in incognito mode or for any sites accessed in incognito mode to have any access to your regular cookies. Those incognito cookies are also temporary (e.g. not stored persistently when you leave incognito mode). – jfriend00 Nov 08 '18 at 03:20
Yup. That's what makes it so useful for devs. I've had complaints like this in several jobs before - usually from newbie QA or dev. It always boils down to teaching the QA or dev how to use incognito mode and several alternative browsers to test multiple accounts properly. So far it has never required actual change in code because test requirements != real world usage – slebetman Nov 08 '18 at 03:24
@slebetman - Yeah, there's a reason I have and use multiple browsers. VMs can also be useful in this regard too. – jfriend00 Nov 08 '18 at 03:27
@jfriend00 I am not using the same browser for tests. I (A) and another co-worker (B) test the app from different computers. I also added source code in my posting. Any advice is really appreciated. – G Chen Nov 08 '18 at 18:58

score 0 · Answer 2 · answered Aug 14 '22 at 16:22

I faced the same problem in my local server. I used two different browser chrome and firefox to test. But whenever I refresh any one browser anthoer client's session was overide by the current user session. I used mobile browser also on the same local network to check the issue. Then I read the express-session documentation express-session documentation and I found my problem. I was storing session data in a global variable. That caused the problem. Whenever a client refreshed the browser or relogin the variable data was overwritten. I used req.session.user instead of a gloabal variable. And it solved the issue.

score 0 · Answer 3 · edited Oct 23 '22 at 08:35

0

I used req.session.user instead of a global variable. And it solved the issue.

edited Oct 23 '22 at 08:35

Tyler2P

2,324
26
22
31

answered Oct 20 '22 at 17:16

thlord

11
2

A Node.js express session is overwritten by another parallel session

3 Answers3