Sharing sessions across subdomains

[David Dripps]

Every time I log in to one subdomain, the session persists until I make a request on the other subdomain at which point the cookie changes and my session is lost.  Each subdomain runs a different instance of Node/Express, but they share the same config file and the session setup is identical (see below).

For example:

1. I log in at www.example.com and the cookie "example_session" is set with a long string identifying the session

2. I browse around www.example.com as a logged in user

3. I open app.example.com in another tab and the "example_session" cookie is immediately changed to a different value invalidating my last session

4. I go back to www.example.com and my session is gone, upon page refresh, the cookie is again reset to a different value

I'm using what I believe to be the correct cookie settings and I still can't get seem to share my session across subdomains.  Here is my session setup on both subdomains:

//setup cookies and sessions
app.use(express.cookieParser());
app.use(express.session({
  key: app.config.session.key,
  secret: app.config.session.secret,
  store: new redisStore({
    host: app.config.db.hosts.master.host, 
    port: app.config.db.hosts.master.port, 
    pass: app.config.db.password
  }), 
  cookie: {
    path     : '/',
    domain   : '.mydomain.com',
    httpOnly : true,
    maxAge   : 1000*60*60*24*30*12    //one year(ish)
  }
}));

[tjholowaychuk]

you'll want to make sure these apps have the same "secret" so they hash the same,

the rest looks ok, we're doing similar

[elamison]

he exact same thing is happening to me with express/redis/node-passport. I have cookie domain set correctly, too.

[Cailie Crane]

Hi again,

I've got this working, and noted my solution at https://github.com/jaredhanson/passport/issues/125

Thank you,
-C

On Thu, Apr 4, 2013 at 6:22 PM, Cailie Crane <caili...@gmail.com> wrote:

Hi David,

Did you end up figuring this out? I have the same problem :(

My two applications share the same session configuration (same secret, etc.). In fact, the configuration is applied by a shared code module.

Thank you,
-C

--
You received this message because you are subscribed to a topic in the Google Groups "Express" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/express-js/JG9-DU1USH8/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to express-js+...@googlegroups.com.
To post to this group, send email to expre...@googlegroups.com.
Visit this group at http://groups.google.com/group/express-js?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Bg Sosh]

I seem to be having the same problem  - @David, did you find out what was causing this?

[Bg Sosh]

@Cailie - however you're just using cookieSessions instead of the RedisStore now.

[Cailie Crane]

Yes, that's true. I suppose it should be called a workaround rather than a "solution". Thanks for the correction.

[chirag jain]

I was able to do cross sub domain session with redis store.

Details here:
http://chiragjain.tumblr.com/post/58906890137/sub-domain-sessions-with-express-js-and-node-js

[ampt]

As mentioned on your post:

You can use: domain: ".app.localhost" and it will work. The 'domain' parameter needs 1 or more dots in the domain name for setting cookies. Then you can have sessions working across localhost subdomains such as: api.app.localhost:3000.

[ampt]

You can use: domain: ".app.localhost" and it will work. The 'domain' parameter needs 1 or more dots in the domain name for setting cookies. Then you can have sessions working across localhost subdomains such as: api.app.localhost:3000.

On Tuesday, May 14, 2013 12:25:50 PM UTC+2, Cailie Crane wrote: