fluffy_raptor fluffy_raptor - 2 months ago 26
Node.js Question

Sharing sessions between domain and subdomain

I'm a little more then stuck at the moment. Been spending the better part of 3 days trying to figure out this little issue which I'm hoping is just a simple mistake.

The issue at hand is I cannot get sessions to share between example.com and b.example.com. I am using AWS and currently using SSL. I must of tried all the solutions that people say will fix the issue from using CORS, leading the domain with a '.'(believe this is outdated and not needed now), to anything else I can read online. This made me beleive it was some of my other code so I commented it all out and sadly still can't get it to work. I test to see if the session is shared by printing out the SessionID in some middleware and visiting the subdomain and domain then checking the logs. For the subdomain I 'host' it on vhost I'll post my code below.
Thank you in advance and if you need any other information I'll try to post it as fast as possible.

main app.js

var express = require('express');
var app = express();
var vhost = require('vhost');
var mongoose = require('mongoose');
var bodyParser = require('body-parser');
var helmet = require('helmet');
var flash = require('req-flash');
var cors = require('cors');
var session = require('express-session');
var favicon = require('serve-favicon');
var MongoStore = require('connect-mongo')(session);


var middlewares = require("./app/middlewares/middleware.js");
var controllerLogic = require('./app/controllers/logic/controllerLogic.js');

//app.set('views', express.static(__dirname + '/views'));
app.set('view engine', 'ejs');
app.set('trust proxy', 1);


mongoose.connect(process.env.MONGOOSE_CONNECT);
var db = mongoose.connection;
db.on('error', console.error.bind(console, 'connection error:'));
db.once('open', function() {
console.log("MONGODB connected");
});



app.use(helmet());
app.use(favicon('./public/img/favicon.png'));
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(express.static(__dirname + '/public'));
app.use(session({
name: 'exampleSession',
genid: function(req) {
return require('crypto').randomBytes(48).toString('hex');
},
rolling: true,
secret: process.env.COOKIE_SESS_SECRET,
resave: false,
saveUninitialized: false,
domain: 'example.co',
cookie: {
test: 'help',
secure: true,
maxAge: 270000,
httpOnly: true //http://expressjs.com/en/advanced/best-practice-security.html
},
store: new MongoStore({ mongooseConnection: mongoose.connection })
}));
app.use(middlewares.prettifyDomain);
app.use(flash());
app.use(controllerLogic.flashAll);
app.use(vhost('b.example.co', require('./libs/vhost/b.app.js').app));
app.get('/ping', function (req, res) {
res.send('successfuly pinged(kinda)!');
});
require('./app/controllers/routes/boards.js')(app);
require('./app/controllers/routes/user.js')(app);
require('./app/controllers/routes/main.js')(app);



app.listen(process.env.PORT || 80);


subdomain vhost file

var express = require('express');
var app = express();
var router = express.Router();

var middlewares = require("./../../app/middlewares/middleware.js");

require('./../../app/controllers/router/routes.js')(router);


app.use(router);

exports.app = app;


If it should be working as it is I'll try to do more testing when I get back home and post what I found if any. Again thank you!

Edit: It seems like vhost creates a new session each time I refresh on the subdomain. I moved to express-subdomain. When I did this a cookie appeared on the subdomain when on vhost there was none. The SessionId is still different between subdomain and the main domain but now the subdomain doesn't have a new SessionID each request. The change looks like this...

app.use(subdomain('b', router));
require('./app/controllers/router/routes.js')(router);
//above replaced the code below.
//require('./libs/vhost/b.app.js').app;
//app.use(vhost('b.example.co', require('./libs/vhost/b.app.js').app));

Answer

Figured out my problem and was most likely due to me looking to fast at other solutions people posted.

The issue was I had the domain outside of the cookie so it wasn't going to my domain to the subdomain. Once I put

domain: 'example.co',

inside

cookie: { 
}

it fixed the issue. Also note I thought I needed to use cors but I removed them and it still worked. Hope this helps if you have the same issue!