0

I'm busy building a platform with 3 different subdomains - example.com, auth.example.com and api.example.com. They're run with 3 separate NodeJS apps running on different ports of the server.

Here is the code setting up the sessions:

var session = require("express-session");
var redisStore = require("connect-redis")(session);
var redisClient = require("redis").createClient(config.redis);

app.use(session({
        secret: config.server.secret,
        store: new redisStore(config.redis),
        client: redisClient,
        resave: false,
        saveUninitialized: false,
        cookie: {
            domain: "example.co.za",
            httpOnly: false
        }
}));

The configuration is exactly the same for all 3 apps and they're sitting on the same server. For some reason, the sessions are not being shared. I seem to remember that they were being shared a few weeks back and now things are broken - I have a sneaky suspision that this happened when we moved all the traffic from HTTP to HTTPS. Would this break the sessions? I tried to turn of 'httpOnly' in case it restricted the sessions, but no luck.

I have run redid-cli MONITOR and the session is, in fact, being saved on login (Auth App) but is not being retrieved by the other app. When I turned saveUninitialized to true, the requests to save were coming from all 3 apps - this shows that they are connected to the same Redis Store.

Any help would be great.

Nick Corin
  • 2,214
  • 5
  • 25
  • 46
  • Verify what cookies are being stored / sent by each client, see if there is any difference. Also check the headers (especially `Set-Cookie`), and take a look at [this](http://stackoverflow.com/questions/7834228/set-cookie-for-domain-instead-of-subdomain-using-nodejs-and-expressjs). This is also probably too big of a question for a comment, but is there a reason your auth and your api endpoints need sessions? – dvlsg Aug 22 '16 at 16:16
  • Turns out the answer below solved my problem. Thanks for the help though. Just to satisfy any curiosity - auth was creating the session after login but then the api needed to check that there was a session active and verify the data inside before allowing access. – Nick Corin Aug 22 '16 at 23:32

1 Answers1

0

I think this is just a cookie issue. The browser is not sending the session cookie back on your sub-domains: you need a leading . on the domain. e.g.:

cookie: {
   domain: ".example.co.za",
   httpOnly: false
}

In case that doesn't work and you are having AJAX issues see this post

Community
  • 1
  • 1
bknights
  • 14,408
  • 2
  • 18
  • 31
  • Thanks! For some reason, I had tried this but it didn't work initially. Later when I tried it again, it just worked? Either way, thanks for making me try it again :) Just a note - I didn't have to set `httpOnly: false`, it worked fine as `true` with HTTPS. – Nick Corin Aug 22 '16 at 23:31