Internal Server Error after logging in; Cannot read property 'expires' of undefined in express-session

[oddstr13]

Possibly an upstream issue, as I don't see files from this project in the stack trace?

Version: 1.27.1 (9e6149c57e6f1f44cedd6545215de048ff2a302c) + a tiny hack to get my modifications to get-product-name included (see bottom of the issue)

[ EXPRESS ] 10.79.0.1 - POST /login
[ EXPRESS ] 10.79.0.1 - GET /
TypeError: Cannot read property 'expires' of undefined
    at SessionStore.Store.createSession (/usr/src/app/node_modules/express-session/session/store.js:87:29)
    at inflate (/usr/src/app/node_modules/express-session/index.js:372:13)
    at /usr/src/app/node_modules/express-session/index.js:499:11
    at SessionStore.get (/usr/src/app/node_modules/session-pouchdb-store/lib/store.js:193:5)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:94:5)

Possibly related to the following stacktrace from a day earlier;

TypeError: maxAge must be a number or Date
    at Cookie.set maxAge [as maxAge] (/usr/src/app/node_modules/express-session/session/cookie.js:85:13)
    at new Cookie (/usr/src/app/node_modules/express-session/session/cookie.js:37:19)
    at SessionStore.Store.createSession (/usr/src/app/node_modules/express-session/session/store.js:90:17)
    at inflate (/usr/src/app/node_modules/express-session/index.js:372:13)
    at /usr/src/app/node_modules/express-session/index.js:499:11
    at SessionStore.get (/usr/src/app/node_modules/session-pouchdb-store/lib/store.js:187:4)
    at session (/usr/src/app/node_modules/express-session/index.js:485:11)
    at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/usr/src/app/node_modules/express/lib/router/index.js:317:13)
    at /usr/src/app/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/usr/src/app/node_modules/express/lib/router/index.js:335:12)
    at next (/usr/src/app/node_modules/express/lib/router/index.js:275:10)
    at urlencodedParser (/usr/src/app/node_modules/body-parser/lib/types/urlencoded.js:91:7)
    at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/usr/src/app/node_modules/express/lib/router/index.js:317:13)
    at /usr/src/app/node_modules/express/lib/router/index.js:284:7

---

[expand] My local changes for running custom get-product-name

diff --git a/Dockerfile b/Dockerfile
index e114ef1..6fc0667 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,8 +5,20 @@ RUN apk --no-cache add curl
 ENV NODE_ENV production
 WORKDIR /usr/src/app
 
-COPY ["package.json", "package-lock.json*", "npm-shrinkwrap.json*", "patched-express-response.js", "./"]
-RUN npm install --production --silent
+COPY ["package.json", "npm-shrinkwrap.json*", "patched-express-response.js", "./"]
+COPY ./get-product-name ./get-product-name
+
+#RUN yarn install --force
+#RUN pushd get-product-name; yarn install --force; popd
+
+
+RUN cd get-product-name && npm install --production; cd ..
+RUN npm install --production
+RUN npm install session-pouchdb-store
+RUN npm install passport-local
+RUN npm install bcrypt-nodejs
+RUN npm install connect-flash
+RUN npm install passport
 
 COPY . .
 
@@ -19,4 +31,4 @@ ENV DB_PREFIX /data/dbs/
 
 ENV SECRET_DIRNAME /data
 
-CMD ./Dockerstart.sh
\ No newline at end of file
+CMD ./Dockerstart.sh
diff --git a/package.json b/package.json
index e4bf0e0..57de08d 100644
--- a/package.json
+++ b/package.json
@@ -27,7 +27,7 @@
     "express": "4.17.1",
     "express-pouchdb": "^4.2.0",
     "express-session": "^1.17.2",
-    "get-product-name": "1",
+    "get-product-name": "file:./get-product-name",
     "jsdom": "^17.0.0",
     "lodash": "^4.17.20",
     "marked": "^3.0.3",

[oddstr13]

I had ended up with multiple session cookies, with different path on them (7 in total, for different pages within the app). Deleting all of them and logging back in gave me a working session.

Looks like the additional cookies are set in response to POST requests.

Deleting only the one on the root path (/), and then logging back in (getting a new session cookie on the root path, but not on /wishlist etc) causes a redirect loop back via /login -> / -> /wishlist -> /login. / and /login are presented with one sid, but /wishlist by two different cookies with the same name.

I think it's possible to hit this error condition without manually deleting the cookie too (possibly due to session expiry?), as I've seen that redirect loop behavior before, and the workaround has been to delete all domain cookies.

I have not managed to reproduce the stack trace, but I think it may be related to this behavior in regards to cookies.

[Wingysam]

I have had this happen to me before, but could never make it happen consistently so I wasn't able to experiment with fixes.

There's a relevant issue in expressjs: https://github.com/expressjs/session/issues/551

[zethis]

I have the problem when i reset the activation password link, send to the person, and getting "Internal Server Error". Hope it helps :)

[Wingysam]

Is anything logged in the console?