session
session copied to clipboard
expressjs
Cookies disabled results in loss of session (no workaround via Header)
It looks like express-session relys strictly on cookies. In cases where third party cookies are disabled (IE/safari by default) or cookies disabled there is no workaround to send a custom header to be handled to set the session ID.
For custom middleware that triggers before express-session we can set req.sessionID via a header or other option, but it will be overriden here: https://github.com/expressjs/session/blob/master/index.js#L179
How about a way to take headers? Or at least look to see if sessionID is already defined?
There's been a few issues for some kind of feature that would fill this requirement. https://github.com/expressjs/session/issues/158 https://github.com/expressjs/session/pull/159 https://github.com/expressjs/session/pull/40
+1 for looking to see if sessionID is already defined
+1 Definitely, looking forward to a way to utilize sessions without need of relying cookies. Would be great if this plays nice with RedisStore as well.
I have been thinking about this kind of problem recently on my own projects, I know this might not be what you are looking for but it may help others. If you have a login page which users login then send the post request to /login then on success they are sent a cookie and redirected to ie: /bounce and if their session or cookie doesn't exist redirect them to your oh no you don't have cookies enabled if they have a valid session then they are sent to the default home page...
Are there any plans for supporting this case? Would love to hear if there is any workaround.
To be clear: to make this work without cookies in a browser environment, you have two options:
- In an SPA, keep around the credentials in a locally scoped variable. This will result in the session being lost upon page reload, and it's tricky to implement this safely, but it's possible. Your users are not going to like it, though.
- Otherwise, you need to store the session ID somewhere else - and that somewhere else is essentially guaranteed to be an insecure place. Cookies have certain security mechanisms in place that prevent session hijacking, and it's a terrible idea to try and store them elsewhere. This article explains further.
If the user's system doesn't have cookies enabled, then tell them to enable them. Cookies are essentially a prerequisite to be able to safely deal with sessions (of any kind), and if a user chooses to leave them disabled, then it is only reasonable that they will not be able to access any authenticated resources.
I have no involvement with this project, but just an additional point of clarity as I stumbled upon this issue:
In cases where third party cookies are disabled (IE/safari by default)
This comment makes it sound like express-session doesn't work in Safari or IE, which is nonsense. This is not relevant to express-session, as the cookie containing the session id for your own application should always be a first party cookie.
Further, when we are talking about non-developing nations with some reasonable network infrastructure, my own data shows less than 0.06% of users having javascript disabled and just over 0.01% with cookies completely disabled (a mix across Canada, Ireland, Australia, and New Zealand).
I'm not saying that the request is unreasonable. I fully understand that these numbers may be considerably higher in even newly industrialized (China) or high tier developing (India) nations. The two concerns here are really , 1.) the security ones mentioned above, and 2.) whether this should be in scope of what express-session offers or not.
I know i am commenting on a old post but i am still facing this issue and i fear the above workaround will not work. I dont have any ajax/fetch calls i have a simple index page which is loading one js file and css file from a server location which is guarded by express-session & passport together the funny thing is whenever any file with js extension is requested safari doesn't send cookie thus resulting in a new session being created which passport redirects to login page :( but the same is not true for any other extensions eg css in the above case, is there a proposed workaround for this?
you get the sessionID and sign the cookie youtself. After that, send connect.sid in the headers then save it yourself on the client
you get the sessionID and sign the cookie youtself. After that, send connect.sid in the headers then save it yourself on the client
I may not have understood this, Let me tell you what i have index.html referring to script.js and app.css in the head section. script.js and app.css are under the express-session path
Observed Behaviour only on Safari: Same session id used to get index.html and app.css but different session id(which makes me think it doesn't send the session cookie with this request) is used to get script.js; infact all and any *.js I do-not have clue why is it this way?
The browser issues an http request to your server, then the server fetches the cookie from the response headers. If the cookie is not saved on the client, or doesn't exist in the headers, then the server will miss the chance to authenticate the client. Make sure to attach the cookie yourself to the request headers when fetching those pages manually in the case of Safari.
You can create a custom HTMLHttpRequest to fetch your .js and .css files.
<script type='text/javascript' async>
const getCookie = function (name) {
const value = "; " + document.cookie;
const parts = value.split("; " + name + "=");
if (parts.length === 2) {
return parts.pop().split(";").shift();
}
};
const sid = getCookie('connect.sid');
const xhttpConfig = {
method: 'GET',
headers: {
Accept: 'text/html',
'Content-Type': 'text/html',
cookie: `connect.sid=${sid}`
}
};
fetch('YOUR_SERVER_URL/file.(css | js)', xhttpConfig).then(
response => response.text()
).then(
html => console.log(html)
);
</script>
@LRagji is the solution given by @mhdSid helped in resolving your issue ??
@HarshithaKP Nope i didnt try it, it was too much of a workaround for single browser
@LRagji is the issue still appearing ? If yes can you please provide code to recreate ?
@HarshithaKP I don't have the code now this project is shelved, in total what i understand is for "Safari" due to enhanced security doesn't send cookies when requesting for scripts from html head section thus creating a new session with express the workaround suggested to make a xhr call with the session id for it instead of putting them in head section.. which theoretically sounds valid... May i know if you have the same problem or if you are asking to close this issue?
@HarshithaKP It's not too much of a workaround but this is what can be done or you can add an http proxy to append custom headers which I'm not sure if this solution is stable. Adding a fetch to manually retrieve your files makes your initial page load faster as you can load the app shell first then the page content. You can try it and it should solve your problem and let me know how it goes :)