session_id is ignored and a new one is generated instead

[Leni-Vienne]

Hello,
I'm facing an issue when inside a route where the req.session.id will always be a new one, thus retaining no information from the user cookie.
EDIT : test yourself with Docker : https://github.com/Leni-Vienne/nodePgConnect_issue
Here is some code of the backend :

const sessionStore = new pgSession({
    pool: pool,
    tableName: 'sessions'
})

app.use(expressSession({
    store: sessionStore,
    secret: process.env.CLE_COOKIE,
    resave: false,
    saveUninitialized: false,
    unset: 'destroy',
    cookie: { 
        maxAge: 60 * 60 * 1000,
        secure: false, 
        httpOnly: true,
    },
}));

app.post('/api/connexion', async (req, res) => {
    try {
        if (req.session) {
            console.log("'old id' : ", req.session.id) // actually a brand new id, not in the database...
            if (req.session.id_user) { // undefined
                let user = await getUserFromId(req.session.id_user)
                return res.json(user)
            }
        }
        let mail = (process.env.VITE_ENVIRONMENT === "dev") ? process.env.CAS_MOCK : await casAuth(req.body.ticket)
        if (mail) {
            let user = await getUserFromMail(mail)
            if (user) {
                console.log(req.session.id) // the same new one
                req.session.regenerate(function (err) {
                    if (err) throw (err)
                    console.log("new id : ",req.session.id) // a new id, which is expected and savec correctly
                    req.session.id_user = user.id_user
                    req.session.groupe = user.groupe
                    req.session.save(function (err) {
                        if (err) throw err(err)
                        res.json(user)
                    })
                })
            }
        }
    } catch (error) {
        console.error(`api/connexion : ${error}`)
        res.json({ error: 'Une erreur est survenue lors de la connexion.' })
    }
});

req.session.save() does save successfully in the databse with 'id_user' and 'groupe' at the end of the sess JSON. I had a previous implementation with mySQL that worked flawlessly, it was almost a drop in replacement up to this point. Same with the default memory storage, it's able to retrieve informations about the user flawlessly.

I would love to get some help, thanks :)

[joewagner]

Hey @Leni-Vienne
I came here from your express-session issue. I'm not familiar with this package, but out of curiousity can you show where the pgSession variable comes from? Or even better share a small app that can be used to reproduce this issue?

[Leni-Vienne]

Thank you for helping me. I've made a repo where I can reproduce the issue with postman (a new cookie is always generated), And when commenting the line store : store the issue indeed goes away and the server is able to retrieve the cookie. It does need a postgres server unfortunately. Should I dockerise it?
https://github.com/Leni-Vienne/nodePgConnect_issue

[voxpelli]

Not sure if related, but you do know express does not support async route handlers?

app.post('/login', async (req, res) => {

It will disregard whatever error or result that the promise resolves to.

[voxpelli]

If you could make a PR that adds the reproduction as a failing test here then it would be easier to look into and fix: https://github.com/voxpelli/node-connect-pg-simple/blob/main/test/integration/express.spec.js

I see that right now all the tests are using these settings:

    app.use(session({
      store,
      secret,
      resave: false,
      rolling: true,
      saveUninitialized: true,
      cookie: { maxAge },
      ...sessionOptions,
    }));

But none of the tests are sending in modified sessionOptions.

In your repository I'm seeing some different options, such as eg:

    resave: true,
    saveUninitialized: false,

If adding a test with eg. those options will fail similarly then it's no question that the error is in this module and we have to look at fixing it.

Sorry for not having a better reply right now 🙏

[Leni-Vienne]

Hi, I'm not sure myself what are the conditions required to reproduce the issue so I will struggle to write a test for it.
However my repo of the issue is now dockerised so you can test it yourself :
https://github.com/Leni-Vienne/nodePgConnect_issue
You will see it that once you enter a username and login, a session is added in the DB but reloading the page won't keep you connected. Then commenting line 30 store: store, of server.js will make the issue go away. I tested the options you mentioned but it didn't change much.
Hopefully you can find what's wrong with the package or with my code 😄

[kozm9000]

Greetings @voxpelli !
I was also facing the same issue with default settings as mentioned in the message above.
Same scenario: route with req.session.save() ( if condition when setting one of the sessionData keys ). However, even without it, like in @Leni-Vienne 's dockerized example a new sid is generated every time.

pgSession source:

Using ts with @types/connect-pg-simple
import pgSession from 'connect-pg-simple';

Node error:

error: there is no unique or exclusion constraint matching the ON CONFLICT specification

Postgres Log:

ERROR:  there is no unique or exclusion constraint matching the ON CONFLICT specification
STATEMENT:  INSERT INTO "session" (sess, expire, sid) SELECT $1, to_timestamp($2), $3 ON CONFLICT (sid) DO UPDATE SET sess=$1, expire=to_timestamp($2) RETURNING sid

Solution and why it was happening:

@Leni-Vienne make sure that when you are creating the table with table.sql in the repo that every statement is executed.