Organizational Research By

Surprising Reserch Topic

node js express passport cookie expiration

node js express passport cookie expiration  using -'node.js,express,passport.js'

I am using Passport for authentication in my app, and I am also using Express. To summarize my issue: my login functionality works fine initially, but after any user's session times out, no users are able to log in.

I am using the standard Local strategy for authentication.

I'll include as bare an example as possible based on my setup:

//Set up authentication with Passport
var userModel = require('./models/user')(db);
passport.use(new LocalStrategy(
    function(username, password, done) {
        var errorMessage = 'Incorrect username/password combination.';
        userModel.GetUserByUsername(username, function(err, user) {
            if (err) { return done(err); }
            if (!user) {
              return done(null, false, { message: errorMessage });

            user.validatePassword(password, function(isPasswordCorrect) {
                if (!isPasswordCorrect)
                    return done(null, false, { message: errorMessage });

                //Update with login date
                userModel.UpdateUserWithLogin(username, user.currentLoginTime, function(err){
                    //if we have an error here, we should probably just log it

                return done(null, user);

passport.serializeUser(function(user, done) {
  done(null, user);

passport.deserializeUser(function(user, done) {
    userModel.GetUserByUsername(user._id, function(err, user) {
            done(err, user);

//Set up express and configure
var sessionStore = new SkinStore(db);
var app = express();

    app.set('port', process.env.PORT || 3000);
    app.set('views', __dirname + '/views');
    app.engine('html', consolidate.swig);
    app.set('view engine', 'html');
        root: '.',
        allowErrors: true, // allows errors to be thrown and caught by express instead of suppressed
        autoescape: false});


    app.use(express.session({   store: sessionStore,
                            cookie: { expires : new Date( + 3600000) } //1 Hour

    app.use(express.static(path.join(__dirname, 'public')));

    //Dynamic helpers


app.get('/login', routes.login);'/login', passport.authenticate('local', {failureRedirect: '/login',
                                               badRequestMessage: "Please enter username and password",
                                               failureFlash: true }),
                                               function(req, res) {
                                                    var targetUrl = req.session.pageAfterLogin;
                                                    delete req.session.pageAfterLogin;
                                                    res.redirect(targetUrl || '/account');

app.get('/account', IsAuthenticated,;

And the IsAuthenticated helper function:

function IsAuthenticated(req,res,next){
        //save the requested page and then redirected
        req.session.pageAfterLogin = req.url;
        req.flash("error", "You must be logged in first!");

What I can find by debugging is that, after successful authentication (and after a cookie has expired), I hit this logic (from above):

function(req, res) {
    var targetUrl = req.session.pageAfterLogin;
    delete req.session.pageAfterLogin;
    res.redirect(targetUrl || '/account');

Where I can see that the "req" has the session properly set, with Passport information stored properly. Then, the redirect happens, the new request has no session information stored, and has an entirely new Session ID. I suspected that no cookie was being set on the client, and that does appear to be the case, which should explain the lack of consistent sessions.

However, I cannot figure out why no new cookie is being set. Is there something wrong with how the app is configured that would indicate why this is happening?

I should add that restarting the Node.js instance fixes the issue, it's just not something that would be tolerable in production.


UPDATE: I ran Fiddler to see what was happening with HTTP/S traffic, and I can see that when it works initially, I'm getting a cookie set in the browser (I tried several) which is then passed back to the server on subsequent requests.

When it doesn't work, the browser is not passing cookies to the server, and so Node is sending a Set-Cookie header that provides a new cookie each time. So far I've had no luck determining the cause of this.

asked Sep 18, 2015 by virendra.bajaj
0 votes

Related Hot Questions

Government Jobs Opening