-
-
Notifications
You must be signed in to change notification settings - Fork 984
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding verification that sess.cookie is set #904
base: master
Are you sure you want to change the base?
Conversation
Thanks! So to better understand: you are saying that the store module is returning an improper object when this module asks for the session? If so, it does sound like that is a bug in your store. But as for handing it better here, it seems like that shouldn't be a silent like your change, as there is something in the store with that id, but this change makes it think there is nothing. I would think in a case like this, this module should raise an error and of course make sure it gets propogated correctly (vs uncatchable). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comment and also needs tests.
Yes, exactly.
Agreed, that makes sense. I'll update it and add tests when I get the chance. |
Cool. After I typed that in the car, I was thinking about it looking at the code, and it could potentially be as simple as this: this.get(sid, function(err, sess){
if (err) return fn(err);
if (!sess) return fn();
var err = null
var req = { sessionID: sid, sessionStore: self };
try {
sess = self.createSession(req, sess)
} catch (e) {
err = e
sess = null
}
fn(err, sess)
}); Sorry if I typo'ed anything above, was just typing this out in the car still :) I figure the |
@dougwilson I've updated the error handling to be broader as you suggested and added a test that demonstrates the issue. |
Apologies, I should have checked the docs on assert.match, it was added in later node versions. I think that it should pass on all nodejs versions now. |
Nice, sorry about that! I was just looking this over, and it seems we probably need to add the same guard at Lines 92 to 97 in 1010fad
|
@dougwilson here I am 7 months later closing the loop on this. 😆 I went ahead and wrote a unit test that demonstrates the error you found in |
store.clear(function (err) { | ||
if (err) return done(err) | ||
|
||
store.get = function returnCorruptSession(sid, callback) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
store.get
needs to be overwritten here instead of on line 1719 because otherwise the error is caught (and surfaced gracefully) in the wrong spot and .reload()
never executes.
@dougwilson hey, just wanted to check if there's anything you needed from me for this to get across the line, thanks! |
Hi @dougwilson, any additional feedback on this? We're still seeing this issue crop up on our end and would love if we could get this merged. Thanks! |
9d2e29b
to
408229e
Compare
In the environment where I'm using
express-session
, sometimes the session is set to{}
. That causes this library to crash, because upon session load/creation it is currently only checking ifsess
is truthy, and is not checking thatsess.cookie
exists, prior to accessing properties onsess.cookie
.The library currently throws an error, and I have not found an elegant way to catch that error. This change should resolve the issue, by no longer calling
self.createSession
in the event thatsess.cookie
is unset.