1.5.0 is not updating the session json file after authentication

[scottc385]

I updated my working app from 1.4.0 to 1.5.0 and could no longer log in. Investigated the issue and found the session json file was not being updated with the 'user' object. Sequence:

1. First GET creates session with no 'user'
2. POST /login authenticates correctly, serialize function is being called, but the session json file is NOT updated.
3. Next GET does not auth because of the missing 'user' object

Going back to 1.4.0 solves the issue.

Also, I noticed that if I delete the session file between steps 1 & 2, it creates a new session files is created with the user object.

Also, also, just by chance I found that if I the client POSTs two times very quickly (or while I am stepping through the debugger) the session file is updated correctly.

[valery-barysok]

@scottc385, Could you provide example code to reproduce it?

[scottc385]

I do not have time today to make a working example, but I will post the pertinent parts of my code:

const session = require('express-session');
var fileStore = require('session-file-store')(session);
app.use(flash());
app.use(session({
// File store 1.5.0 was not working, would not update the session file after authenticated !!!
// Went back to version 1.40
store: new fileStore({ttl:31*86400, retries: 3}),
secret: "secret",
resave: false,
saveUninitialized: false,
cookie: { maxAge: null }
}));
app.use(passport.initialize());
app.use(passport.session());

Note: I also tried every combination of resave, saveUninitialized & rolling settings, but it did not help.

passportConfig.js attached

passportConfig.js.txt

[scottc385]

Also, it was the LocalStrategy that was failing. The JsonStrategy was working. I also commented out the JsonStrategy and the problem still existed.

[lanly-dev]

My app also has the session not updating problem with the 1.5.0 version. It turned out 1.4.0 does that sometimes too but not that noticeable. Rolling express-session from 1.17.1 back to 1.9.0 or this package to 1.3 seems to fix my app's bug.

[SuecoMarcus]

Same problem here!

I've been working for hours trying to find out why my login page wasn't functioning.

I switched to 1.4.0 and voila! The login is working again.

[mcaralp]

I think the problem comes from the write-file-atomic module. The writeFileAtomic() function is used to save the session, but it takes a really long time, and occasionally the session is saved after the browser has reloaded the web page. A solution is to manually save the session, something like that:

app.post('/login', (req, res, next) => {

    const callback = (err, user, info) => {
         if (!user) return next(err)
            
         req.logIn(user, (err) => {
             if (err) return next(err)

             req.session.save(() => {
                req.redirect('/')
             })       
         })
    }

    passport.authenticate('local', callback)(req, res, next);
})

This will ensure that the session is saved before the webpage is reloaded.

[Codelica]

@mcaralp thanks for the tip!

This seems to amount to a frustrating race condition when network times are quick compared to file write times. Using oAuth strategies with redirects it gets hard to pinpoint. Manually forcing the session to save (as above) in the verify callback works, but it does make me wonder about session changes between other quick calls once logged in though. I guess in a perfect world it would be nice to have the option of in-memory sessions that are (lazily) file backed, although I guess that starts to get into Redis territory. :)