A Node.js express session is overwritten by another parallel session

We use express-session library to handle the request sessions. A session sometimes is overwritten by another parallel session.

For example, a Client A accesses our app and generates Session #A. After that, another Client B creates Session #B. Then the client A refresh the same app and find its session is changed as Session #B. In other words, the Session #A has been replaced by Session #B.

Does anyone have experience resolving a similar issue?

Part of my source code is attached below: written in TypeScript. The session config is defined in sess.ts. The store I am using is express-oracle-session.

sess.ts

exports.configSession = () => {
  let oracledb = require('oracledb');
  let session = require('express-session');
  let oracleDbStore = require('express-oracle-session')(session);
  let sessOpts = {
    checkExpirationInterval: 60000,
    createDatabaseTable: true,
    schema: {
        tableName: 'ldap_sessions'
    }
};

return new Promise((resolve, reject) => {
    oracledb.getConnection('oracle_db', (err, conn) => {
        if (err) {
            return reject(err.message);
        }
        let sessionStore = new oracleDbStore(sessOpts, conn);
        let sessConfig = {
            secret: 'ldap secret',
            resave: true,
            saveUninitialized: true, 
            rolling: true, 
            cookie : {
                httpOnly: false,
                maxAge: 1000 * 60 * 60 * 24
            store: sessionStore
        };
        return resolve(session(sessConfig));}
    )});

};

server.ts

let configSess = require('./sess');
let cookieParser = require('cookie-parser');
let bodyParser = require('body-parser');

configSess.configSession().then((sess) => {
    app.use(sess);
    startServer();
});

1 answer

  • answered 2018-11-08 03:11 jfriend00

    Well, you say you're using express-session. That uses a cookie in the browser to keep track of clients. So, the only way I know of that client A and client B get their sessions mixed up is if they are in the same browser. If so, that is working as intended. Each browser gets one session. If you create a session in one window, then create another session in another window, the cookie for the 2nd session will overwrite the cookie from the first window and a refresh in the second window will take on the 2nd session. That is how express-session works.

    If you're not using the same browser for both clients, then there's something seriously wrong in your server implementation of express-session and we'd have to see your server-side code to help further with that.

    If you want to have two separate sessions in the same browser for separate purposes (e.g. one for an admin login and one for a user login), then you can see here: how to manage multiple session in express js. But, that is not so that you can have two separate clients each with the same type of session and separate sessions operating in the same browser. I don't think that is something that express-session supports. To do that, you'd probably have to use something other than cookies for keeping track of session keys (perhaps the old ?sessionid=xxxxx in every URL, but that has its whole own set of issues which is why it's rarely used any more).