Search code examples
node.jsexpresscookiespassport.jsexpress-session

Passport js is not working after cookie lifetime expired

Recently I've found tricki bug in my express js project and I would be grateful for help with debugging it.

This is related question, but answer is not resolving problem, because I want to specify maxAge and deleting this parameter from session configuration is not solution for me.

I am using Passport js + express-session

This is my session configuration:

var passport = require('passport');
var session = require('express-session');
var cookieParser = require('cookie-parser');

app.use(cookieParser());

app.use(session({
    secret: 'MySecret',
    resave: false,
    saveUninitialized: false,
    cookie  : {
        secure: false, // If it's true, login is not working as well
        maxAge: new Date(Date.now() + (60 * 1000 * 30))    
    }
}));

app.use(passport.initialize());
app.use(passport.session());

To check that user is authenticated I'm using simple middleware: 

middlewareObj.isLoggedIn = function(req, res, next) {
    if (req.isAuthenticated()){
        return next();
    } else {
        return res.redirect('/signin');
    }
};

Passport local-signin:

passport.use('local-signin', new LocalStrategy(
        {
            usernameField: 'email',
            passwordField: 'password',
            passReqToCallback: true
        },
        function (req, email, password, done) {
            var User = user;

            var isValidPassword = function (userpass, password) {
                return bCrypt.compareSync(password, userpass);
            }

            User.findOne({
                where: {
                    email: email
                }        
            }).then(function (user) {
                if (!user) {
                    return done(null, false, req.flash('error', 'User does not exists'));
            }

            if (!isValidPassword(user.dataValues.userPassword, password)) {
                return done(null, false, req.flash('error', 'Incorrect password.'));
            }

            return done(null, {user});

        }).catch(function (error) {
           return done(null, false, req.flash('error',error.message));
        });
    }
));

This is my logout route: 

router.get('/logout',(req,res) => {
    req.session.destroy(function(err) {
        return res.redirect('/');
    });
});

Standard user login is working fine, after submitting sign in form user is serialized than deserialized and isAuthenticated() method returns true.

But cookie configuration(maxAge exactly) is making some problems. When cookie lifetime expired, next user's login is not working anymore. isAuthenticated() method is returning false (user object does't exist inside req).

After restarting server, user can login normally, but when cookie maxAge is reached, next login is not working again. Passport is not showing any errors.

Solution

  • It likely has something to do with your maxAge value. The expressjs/sessions package docs point out that maxAge is "the number (in milliseconds) to use when calculating the Expires Set-Cookie attribute".

    You're passing a Date to maxAge; it's expecting the number of milliseconds until the cookie expires.