Saving session data across multiple node instances

Question

EDIT - Oct 22, 2017
There was more than one reason our sessions weren't persisting, I've had to change our
express-session options to this:

api.use(session({
    secret: 'verysecretsecret',
    resave: false,
    saveUninitialized: false,
    cookie: {
        path: '/',
        httpOnly: true,
        domain: 'domain.dev',
        maxAge: 1000 * 60 * 24
    },
    store: new MongoStore({ mongooseConnection: mongoose.connection, autoReconnect: true })
}));

Apparently domain: 'localhost' causes express-session to start a new session every single time someone starts a session and then refreshes/navigates away and back when you have a seperate node instance for session handling.

I've solved this issue by doing the following:

1. Added 127.0.0.1 domain.dev to my hosts file located in C:\Windows\System32\drivers\etc.
2. I needed a place to store sessions as per the answers given below, so we chose MongoDB. This meant I had to add the following to my express-session options:
   
   store: new MongoStore({ mongooseConnection: mongoose.connection, autoReconnect: true })
   
   
3. Added the httpOnly: true property to the express-session options.
4. Because we use jQuery for our ajax requests, I had to enable some settings in the front-end web app before making calls to the back-end:
   
   $.ajaxSetup({ xhrFields: { withCredentials: true }, crossDomain: true, });

---

ORIGINAL POST
I'm currently working on a platform for which was decided to have the API running on port 3001 whilst the web application itself is running on port 3000. This decision was made to make monitoring traffic more easy.

Now, we're talking about express applications so we defaulted to using the express-session npm package. I was wondering if it's at all possible to save session data stored on the node instance running on port 3001 and be retrieved by the node instance running on port 3000 if that makes sense.

To elaborate, this is our user authentication flow:

1. User navigates to our web app running on port 3000.
2. User then signs in which sends a POST request to the API running on port 3001, session data is stored when the credentials are correct, response is sent so the web app knows the user is authenticated.
3. User refreshes the page or comes back to the web app after closing their browser so web app loses authenticated state. So on load it always sends a GET request to the API on port 3001 to check if there's session data available, which would mean that user is logged in, so we can let the web app know user is authenticated.

(If my train of thought is at fault here, please let me know)

The problem is that express-session doesn't seem to be working when doing this. I've enabled CORS so the web app is able to send requests to the API. And this is what the express-session configuration looks like:

api.use(session({
    secret: 'verysecretsecret',
    resave: false,
    saveUninitialized: false,
    cookie: {
        path: '/',
        domain: 'localhost',
        maxAge: 1000 * 60 * 24
    }
}));

Preferably help me solve this problem without using something like Redis, I'd simply like to know if solving this problem is possible using just express-session and node.

Answer 1

Preferably help me solve this problem without using something like Redis

You want us to help you solve this problem preferably without using the right tool for the job.

Without Redis you will need to use some other database. Without "something like Redis" (i.e. without a database) you will need to implement some other way to handle something that is a book example use case for a database.

And if you're going to use a database then using a database like Redis or Memcached is most reasonable for the sort of things where you need fast access to the data on pretty much every request. If you use a slower database than that, your application's performance will suffer tremendously.

I'd simply like to know if solving this problem is possible using just express-session and node.

Yes. Especially when you use express-session with Redis, as is advised in the documentation of express-session module:

• https://github.com/expressjs/session#session-store-implementation

If all of your instances work on the same machine then you may be able to use a database like SQLite that stores the data in the filesystem, but even when all of your instances are on the same box, my advice would be still to use Redis as it will be much simpler and more performant, and in the case when you need to scale out it will be very easy to do.

Also if all of your session data can fit in a cookie without problems, then you can use this module:

• https://www.npmjs.com/package/cookie-session

that would store all of the session data in a cookie. (Thanks to Robert Klep for pointing it out in the comments.)