sessionID express 3.0 connect 2.0

Showing 1-4 of 4 messages
sessionID express 3.0 connect 2.0 Allan hansen 3/22/12 9:22 AM
Hi been working a bit with the master branch from git and maybe it is
me being relatively newbie but on the 2.* the req.sessionID was the
same as in the cookie parsed [connect.sid] but in 3.0 I only get the
utils.uid(24) when getting req.sessionID not the rest . base etc. as
in connect 1.*

    var base = utils.uid(24);
    var sessionID = base + '.' + store.hash(req, base);
    req.sessionID = sessionID;

and in connect 2.0

store.generate = function(req){
    req.sessionID = utils.uid(24);
    req.session = new Session(req);
    req.session.cookie = new Cookie(req, cookie);

is it supposed to be the req.sessionID is not the whole cookie
connect.sid or am I missing something ?

thank you
Re: sessionID express 3.0 connect 2.0 thibaud 4/16/12 4:58 AM
Hi, same here,
I just switched to Express 3.0.0alpha1 and req.sessionID is different from Express 2.x

It seems the sessionStore keys are now the shorter uid(24)-only version and no longer the 'long' version (described in the above post) stored in the cookie.

I use and the technique described here: to retrieve the Express sessions...
My 'problem' is that in's handshake, I retrieve the cookie's 'express.sid' value which is the full one stored in the cookie... therefore it's no longer the key for the Express session in the sessionStore...

data.sessionID = cookie['express.sid']; //the long/full version stored in the cookie

sessionStore.load(data.sessionID, function(err, session) {
    //session not loaded... undefined...

For the moment I fixed it doing a simple split('.')[0] to retrieve the uid(24) part:

data.sessionID = cookie['express.sid'].split('.')[0];

sessionStore.load(data.sessionID, function(err, session) {
    //session loaded OK...

Just like Allan hansen I'd like to know if indeed the req.sessionID is now supposed to be only the uid(24) part of the whole cookie express.sid
and if the technique I used to retrieve the session within is the way to go from now on or is there (probably) a better/cleaner way to do it?

thank you,

Re: sessionID express 3.0 connect 2.0 tjholowaychuk 4/17/12 8:28 AM
technically the SID is only the left-hand side, but I agree that this confuses things, we can tweak that back to how it was. I dont remember deliberately changing it so it may have been more of a regression. 
Re: sessionID express 3.0 connect 2.0 tjholowaychuk 4/17/12 9:00 AM
oh right it's because of the new cookie signing stuff :) forgot about that. The signature is stripped before it gets to the session() middleware, so that's why it's only the *real* id now. You wouldn't want to use that value without checking the signature