krakenjs/lusca

lusca with client-sesson fails

Closed this issue · 3 comments

muthu-cs commented

I was trying to use lusca with client-session library and it fails with the below error. Can you please share your views.

lusca requires req.session to be available in order to maintain state

Error: lusca requires req.session to be available in order to maintain state
at Object.create (/Users/msubbiah/sample/sessionapp/node_modules/lusca/lib/token.js:13:15)
at getCsrf (/Users/msubbiah/sample/sessionapp/node_modules/lusca/lib/csrf.js:34:22)
at checkCsrf (/Users/msubbiah/sample/sessionapp/node_modules/lusca/lib/csrf.js:57:20)
at Layer.handle as handle_request
at trim_prefix (/Users/msubbiah/sample/sessionapp/node_modules/express/lib/router/index.js:312:13)
at /Users/msubbiah/sample/sessionapp/node_modules/express/lib/router/index.js:280:7
at Function.process_params (/Users/msubbiah/sample/sessionapp/node_modules/express/lib/router/index.js:330:12)
at next (/Users/msubbiah/sample/sessionapp/node_modules/express/lib/router/index.js:271:10)
at clientSession (/Users/msubbiah/sample/sessionapp/node_modules/client-sessions/lib/client-sessions.js:630:5)
at Layer.handle as handle_request

jasisk commented

Precisely as it reads. req.session needs to be available. In other words (as mentioned in the README):

Please note that you must use express-session, cookie-session, their express 3.x alternatives, or other session object management in order to use lusca.

So add a session provider (express-session with the default MemoryStore is totally sufficient for development though not for production) before lusca and all should be good.

jasisk commented

Note that if you're using lusca by means of kraken, both a session provider and lusca are preconfigured so no need to add either, merely provide overrides as necessary.

jasisk commented

Ack. Just read up on client-session. Strangely, they're not following the convention of making the session object available on req.session by default.

Try setting the cookieName property in the config object you set for client-session to session. E.g.:

app.use(clientSession({ cookieName: 'session' }));