expressjs/session

Session always response the last login session when enable rolling with iisnode proxy

dinhitcom opened this issue · 1 comments

I have a web app which authenticate with express-session and passport local, the session store is connect-mongo. Everything work fine on localhost, but when I deployed it on production using iisnode everything went wrong. When I login as User A on browser instance A, it works normally, then I login as User B on browser instance B. After that I come back to browser instance A, try to do some request as User A and the server response with User B session id, then User A become User B in browser A. So I think the server always send back the last session id stored in server when enable polling. (When i turn off session polling it works normally)
Here is the cookies with sid was changed in devtools
image

Here is my app config

const app = express();
app.use(
  helmet({
    contentSecurityPolicy: false,
  })
);
app.disable("x-powered-by");
app.use(useragent.express());

if (process.env.NODE_ENV !== "production") {
  app.use(logger("dev"));
} else {
  app.use(logger("common"));
}

// view engine setup
app.set("views", path.join(__dirname, "views"));
app.set("view engine", "pug");
app.use(express.json({ limit: "100mb", extended: true }));
app.use(express.urlencoded({ limit: "200mb", extended: false }));
app.use(cookieParser());
app.use(express.static(path.join(__dirname, "public")));

mongoose
  .connect(process.env.MONGO_URI2, {
    useNewUrlParser: true,
    useUnifiedTopology: true,
    autoIndex: false,
  })
  .then(() => console.log("Connect to MongoDB success"))
  .catch((err) => {
    console.log(err);
    // process.exit();
  });

let sess = {
  name: "definitelyNotSID",
  secret: "super secret",
  cookie: { maxAge: 14 * 24 * 60 * 60 * 1000, secure: true },
  proxy: true,
  saveUninitialized: false, 
  resave: false,
  unset: "destroy",
  store: MongoStore.create({
    client: mongoose.connection.getClient(),
  }),
  rolling: true,
}

if (app.get('env') === 'production') {
  app.enable('trust proxy');
  app.set('trust proxy', 1) // trust first proxy
  sess.cookie.secure = true // serve secure cookies
}

app.use(
  session(sess)
);  


app.use(passport.initialize());
app.use(passport.session());

app.use("/", router);

I struggle with this problem for over a day, not sure it was session, passport or iisnode problem. Any help would be appreciated! Thanks!

Edit
I tried disable session store and still occur the problem, so i dont think it was cause by connect-mongo.

I think I found it. The problem is on IIS, I have some settings to cache .js and .css files on IIS. But somehow it prevents some requests pass to express, that messed things up.