Duplicate session cookie when changing configuration #1010
Comments
|
Thank you @AntoineAwaida for reporting this. I agree. It can create session ambiguity in cases when duplicate cookies are sent to the server. However, its not a bug. When you change cookie attributes (e.g., In order address your issue, you can name your cookies, app.use(
session({
name: 'connect.sid.v2', // New cookie name
secret: 'your-secret-key',
resave: false,
saveUninitialized: false,
cookie: {
secure: true,
httpOnly: true,
sameSite: 'strict',
},
})
);And you can do something like this to migrate, app.use((req, res, next) => {
const oldCookie = req.cookies['connect.sid'];
const newCookie = req.cookies['connect.sid.v2'];
if (oldCookie && !newCookie) {
// Attempt to migrate the old session
req.sessionStore.get(oldCookie, (err, session) => {
if (err || !session) {
// Old session doesn't exist or failed to load
return next();
}
// Save the old session under the new cookie name
req.sessionStore.set(newCookie, session, (err) => {
if (err) console.error('Failed to migrate session:', err);
// Clear the old cookie and proceed
res.clearCookie('connect.sid');
next();
});
});
} else {
next();
}
});What I can agree on is, this is rather a feature request or idea. Perhaps we need something like,
For the meantime, I am going to label this as a idea and let's see how the discussion continues. Personally, I am 👍 for adding a migration support or something like that. cc: @expressjs/session-collaborators |
I noticed that changing the configuration in production/deployed mode of express-session cookies can lead to duplicate connect.sid cookie stored in the browser with the old and the new configuration - which can be very problematic to retrieve the right session afterwards.
New configuration :
Old configuration :
To fix this, I had no choice but to change the name of the session cookie stored in the browser.
The text was updated successfully, but these errors were encountered: