express-sessions icon indicating copy to clipboard operation
express-sessions copied to clipboard
verified publisher icon konteck

memory leak / security problem when used with express 3.4.5

Open steveliles opened this issue 12 years ago • 0 comments

Hi,

Thanks for express-sessions - nice lib, and the only one I found that really works ;)

I hit a problem when using express 3.4.5 (may also affect other 3.x.y versions), which seems to be because of a version clash with express-sessions dependency on 2.x.y.

To see the problem: (1) Create a new express project with 3.x.y, using "express myapp". (2) Add the following middleware to app.js:

var inc = 0;
app.use(function(req,res,next){
  res.locals["" + inc] = inc++;
  console.log(res.locals);
  next();
});

(3) start the app and hit the app a few times with curl or a browser - you'll see that the same res.locals is re-used and just grows forever. This also means that any private information you might put in res.locals is available to the next request!

{ '0': 0, '1': 1, '2': 2, ... }

Without express-sessions res.locals is a new object on each request and you only see the latest value of inc, e.g.:

{ '3': 3 }

Just changing the dependency version to 3.4.5 fixes the problem for me.

steveliles avatar Nov 29 '13 10:11 steveliles