sessionID express 3.0 connect 2.0

1,557 views
Skip to first unread message

Allan hansen

unread,
Mar 22, 2012, 12:22:58 PM3/22/12
to Express
Hi been working a bit with the master branch from git and maybe it is
me being relatively newbie but on the 2.* the req.sessionID was the
same as in the cookie parsed [connect.sid] but in 3.0 I only get the
utils.uid(24) when getting req.sessionID not the rest . base etc. as
in connect 1.*

var base = utils.uid(24);
var sessionID = base + '.' + store.hash(req, base);
req.sessionID = sessionID;

and in connect 2.0

store.generate = function(req){
req.sessionID = utils.uid(24);
req.session = new Session(req);
req.session.cookie = new Cookie(req, cookie);
};

is it supposed to be the req.sessionID is not the whole cookie
connect.sid or am I missing something ?

thank you

thibaud

unread,
Apr 16, 2012, 7:58:49 AM4/16/12
to expre...@googlegroups.com
Hi, same here,
I just switched to Express 3.0.0alpha1 and req.sessionID is different from Express 2.x

It seems the sessionStore keys are now the shorter uid(24)-only version and no longer the 'long' version (described in the above post) stored in the cookie.

I use socket.io and the technique described here: http://www.danielbaulig.de/socket-ioexpress/ to retrieve the Express sessions...
My 'problem' is that in socket.io's handshake, I retrieve the cookie's 'express.sid' value which is the full one stored in the cookie... therefore it's no longer the key for the Express session in the sessionStore...

data.sessionID = cookie['express.sid']; //the long/full version stored in the cookie

sessionStore.load(data.sessionID, function(err, session) {
    //session not loaded... undefined...
});

For the moment I fixed it doing a simple split('.')[0] to retrieve the uid(24) part:

data.sessionID = cookie['express.sid'].split('.')[0];

sessionStore.load(data.sessionID, function(err, session) {
    //session loaded OK...
});

Just like Allan hansen I'd like to know if indeed the req.sessionID is now supposed to be only the uid(24) part of the whole cookie express.sid
and if the technique I used to retrieve the session within socket.io is the way to go from now on or is there (probably) a better/cleaner way to do it?

thank you,

thibaud

tjholowaychuk

unread,
Apr 17, 2012, 11:28:51 AM4/17/12
to expre...@googlegroups.com
technically the SID is only the left-hand side, but I agree that this confuses things, we can tweak that back to how it was. I dont remember deliberately changing it so it may have been more of a regression. 

tjholowaychuk

unread,
Apr 17, 2012, 12:00:08 PM4/17/12
to expre...@googlegroups.com
oh right it's because of the new cookie signing stuff :) forgot about that. The signature is stripped before it gets to the session() middleware, so that's why it's only the *real* id now. You wouldn't want to use that value without checking the signature 
Reply all
Reply to author
Forward
0 new messages