Why are my express sessions not persisting and why am I getting a new session (or multiple sessions) created for each request

Question

I have a basic node.js express app using express-sessions.

Please can someone help with why the sessions are not persisting and why a new session is created for every request.

The app itself is quite large so i have added a reduced case of the important settings below.

const express = require('express');
const session = require('express-session');
const MongoDBStore = require('connect-mongodb-session')(session);

// initialise express
const app = express();
// initialise db session store
const store = new MongoDBStore({
  uri: MONGODB_URI,
  collection: 'sessions',
  // can also set expire here for auto cleanup by mongodb
});

app.use(session({
  secret: 'secret password',
  resave: false,
  saveUninitialized: false,
  httpOnly: false,
  secure: app.get('env') === 'production',
  store,
}));

...routes

in a user login route the app sets the request user to the session and saves the session. it is expected that this req,session.user will persist between pages but it does not. on each page request i can see a new session (or sometimes multiple sessions, 1 for each file request) being created.

Answer 1

UPDATE

TL:DR; - robots.txt causes issues if not dealt with, set DEBUG env to express-session to troubleshoot

After a lot of hair pulling I've found a solution and some useful troubleshooting tips.

when running your app, run it with debug set to express-session.

so for those of you that are quite new to this like myself, run your app with a command similar to this:

DEBUG=express-session node 'bin/www.js'

or

DEBUG=express-session node app.js

depending on how you have your app entry point setup.

Doing this will print session related log msgs so you can troubleshoot if the cookie is actually getting sent with each request or not. the error messages will look like something this:

  express-session fetching 0wgmO1264PsVvqeLqaIIXd6T0ink0zts +34s
  express-session session found +49ms

To troubleshoot the issue of multiple requests causing multiple sessions per page load, Add a middleware at the top of your app before any other middleware. this will allow us to see the request URL and troubleshoot which requests may be interfering with our sessions.

// see what requests are being sent and which ones contain cookies
app.use((req, res, next) => {
  const { url } = req;
  const isCookieSent = req.headers.cookie;
  console.log({ url });
  console.log({ isCookieSent });
  next();
});

from doing this I found out that the culprit was robots.txt file, Apparently the only path that is ignored by default is favicon.ico.

Because this robots.txt path wasn't handled properly, nor was it sending a cookie, it was causing the duplicate requests and also causing the cookies not to persist.

to fix this you either need to handle or ignore this request prior to getting to the session middleware.

i did this using this middleware, once again fairly high up.

app.get('/robots.txt', (req, res) => {
  res.type('text/plain');
  res.send('User-agent: *\nDisallow: /');
});

I am new to node.js so if there is anyone with more knowledge feel free to chip in with extra info or cleaner ways of solving this problem. Hopefully this saves some of you a lot of hassle!