Session always response the last login session when enable rolling with iisnode proxy
dinhitcom opened this issue · 1 comments
I have a web app which authenticate with express-session and passport local, the session store is connect-mongo. Everything work fine on localhost, but when I deployed it on production using iisnode everything went wrong. When I login as User A on browser instance A, it works normally, then I login as User B on browser instance B. After that I come back to browser instance A, try to do some request as User A and the server response with User B session id, then User A become User B in browser A. So I think the server always send back the last session id stored in server when enable polling. (When i turn off session polling it works normally)
Here is the cookies with sid was changed in devtools
Here is my app config
const app = express();
app.use(
helmet({
contentSecurityPolicy: false,
})
);
app.disable("x-powered-by");
app.use(useragent.express());
if (process.env.NODE_ENV !== "production") {
app.use(logger("dev"));
} else {
app.use(logger("common"));
}
// view engine setup
app.set("views", path.join(__dirname, "views"));
app.set("view engine", "pug");
app.use(express.json({ limit: "100mb", extended: true }));
app.use(express.urlencoded({ limit: "200mb", extended: false }));
app.use(cookieParser());
app.use(express.static(path.join(__dirname, "public")));
mongoose
.connect(process.env.MONGO_URI2, {
useNewUrlParser: true,
useUnifiedTopology: true,
autoIndex: false,
})
.then(() => console.log("Connect to MongoDB success"))
.catch((err) => {
console.log(err);
// process.exit();
});
let sess = {
name: "definitelyNotSID",
secret: "super secret",
cookie: { maxAge: 14 * 24 * 60 * 60 * 1000, secure: true },
proxy: true,
saveUninitialized: false,
resave: false,
unset: "destroy",
store: MongoStore.create({
client: mongoose.connection.getClient(),
}),
rolling: true,
}
if (app.get('env') === 'production') {
app.enable('trust proxy');
app.set('trust proxy', 1) // trust first proxy
sess.cookie.secure = true // serve secure cookies
}
app.use(
session(sess)
);
app.use(passport.initialize());
app.use(passport.session());
app.use("/", router);
I struggle with this problem for over a day, not sure it was session, passport or iisnode problem. Any help would be appreciated! Thanks!
Edit
I tried disable session store and still occur the problem, so i dont think it was cause by connect-mongo.
I think I found it. The problem is on IIS, I have some settings to cache .js and .css files on IIS. But somehow it prevents some requests pass to express, that messed things up.