1

When I call the /test route directly from the browser, I find that the session has been properly set. But when I do the same from an ajax call, I find that the session does not have the information I had previously added through the other route /temp.

express-session config

{
    "key": "nsid",
    "secret": "some secret password",
    "cookie": {
        "path": "/",
        "httpOnly": false,
        "maxAge": null,
        "secure": false
    },
    "resave": true,
    "saveUninitialized": true,
    "proxy": null
}

routes.js

router.get('/temp', (req, res) => {
    const useCase = 'card';
    req.session = req.session || {};
    req.session.trackingInformation = {};
    req.session.trackingInformation.useCase = useCase;
    req.session.save();
    console.log(req.session);
    res.render('/temp');
});

router.get('/test', (req, res) => {
    console.log(Util.inspect(req.session));
    res.send({});
});

ajax call

fetch('/test').then((response) => {
    if (response.status >= 400) {
        console.log(response.status);
    }
    return response.json();
}).then((json) => {
    console.log(json);
    //do something
});

When I call the localhost:8000/temp and then call the /test as a fetch ajax call:

{
    "cookie": {
        "path": "/",
        "_expires": null,
        "originalMaxAge": null,
        "httpOnly": false,
        "secure": false
    },
    "_csrfSecret": "secret",
    "_shared": {
        "deviceInfo": {
        ...
        }
    }
}

The trackingInformation property clearly is not set. But if I call the same directly from my browser localhost:8000/test after first calling locahost:8000/temp, I have the trackingInformation set in the session.

{
    "cookie": {
        ...
    },
    "_csrfSecret": "secret",
    "_shared": {
        "deviceInfo": {
        ...
        }
    },
    "trackingInformation": {
        "useCase": "card"
    }
}
ytibrewala
  • 957
  • 1
  • 8
  • 12

1 Answers1

2

The answer was in the ajax call. Fetch by default doesn't send the cookies. You need to enable the sending of cookies by passing credential: 'same-origin' as an option. So the fetch call should have been -

fetch('/test', {
    credentials: 'same-origin'
}).then((response) => {
    if (response.status >= 400) {
        console.log(response.status);
    }
    return response.json();
}).then((json) => {
    console.log(json);
    //do something
});

Look at this for more information.

ytibrewala
  • 957
  • 1
  • 8
  • 12
  • Wasted over an hour on this, thanks! Looks like it's located in the docs, just isn't highlighted very much (https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch) `By default, fetch won't send or receive any cookies from the server, resulting in unauthenticated requests if the site relies on maintaining a user session (to send cookies, the credentials header must be sent).` – Lance Whatley Jul 29 '17 at 21:26