sessionID express 3.0 connect 2.0

Showing 1-5 of 5 messages
sessionID express 3.0 connect 2.0 Allan hansen 3/22/12 9:22 AM
Hi been working a bit with the master branch from git and maybe it is
me being relatively newbie but on the 2.* the req.sessionID was the
same as in the cookie parsed [connect.sid] but in 3.0 I only get the
utils.uid(24) when getting req.sessionID not the rest . base etc. as
in connect 1.*

    var base = utils.uid(24);
    var sessionID = base + '.' + store.hash(req, base);
    req.sessionID = sessionID;

and in connect 2.0

store.generate = function(req){
    req.sessionID = utils.uid(24);
    req.session = new Session(req);
    req.session.cookie = new Cookie(req, cookie);
};

is it supposed to be the req.sessionID is not the whole cookie
connect.sid or am I missing something ?

thank you
Re: sessionID express 3.0 connect 2.0 thibaud 4/16/12 4:58 AM
Hi, same here,
I just switched to Express 3.0.0alpha1 and req.sessionID is different from Express 2.x

It seems the sessionStore keys are now the shorter uid(24)-only version and no longer the 'long' version (described in the above post) stored in the cookie.

I use socket.io and the technique described here: http://www.danielbaulig.de/socket-ioexpress/ to retrieve the Express sessions...
My 'problem' is that in socket.io's handshake, I retrieve the cookie's 'express.sid' value which is the full one stored in the cookie... therefore it's no longer the key for the Express session in the sessionStore...

data.sessionID = cookie['express.sid']; //the long/full version stored in the cookie

sessionStore.load(data.sessionID, function(err, session) {
    //session not loaded... undefined...
});

For the moment I fixed it doing a simple split('.')[0] to retrieve the uid(24) part:

data.sessionID = cookie['express.sid'].split('.')[0];

sessionStore.load(data.sessionID, function(err, session) {
    //session loaded OK...
});

Just like Allan hansen I'd like to know if indeed the req.sessionID is now supposed to be only the uid(24) part of the whole cookie express.sid
and if the technique I used to retrieve the session within socket.io is the way to go from now on or is there (probably) a better/cleaner way to do it?

thank you,

thibaud
Re: sessionID express 3.0 connect 2.0 tjholowaychuk 4/17/12 8:28 AM
technically the SID is only the left-hand side, but I agree that this confuses things, we can tweak that back to how it was. I dont remember deliberately changing it so it may have been more of a regression. 
Re: sessionID express 3.0 connect 2.0 tjholowaychuk 4/17/12 9:00 AM
oh right it's because of the new cookie signing stuff :) forgot about that. The signature is stripped before it gets to the session() middleware, so that's why it's only the *real* id now. You wouldn't want to use that value without checking the signature 
Re: sessionID express 3.0 connect 2.0 Gistya Eusebio 1/12/13 7:25 AM
Instead of the split, it's better to do this:

        if (sid['connect.sid']) {
            sid = sid['connect.sid'].slice(2);
            sid = cookie.unsign(sid, "mySecret");
        }

That way you get "false" if the cookie was tampered with. Using split defeats the purpose of having signed cookies.

-gistya