Session Values Deleting from Server But Not Login in NodeJS

sid · February 7, 2022, 10:34am

Wappler Version : 4.4.5
Operating System : W10
Server Model: NodeJS

Expected behavior

When a user logs in and sets REMEMBER ME as true/1, user session should remain live in the DB.
Also, re-deployment should not clear out login status irrespective of remember me, if cookie is still valid.
All session variables should be retained as well.

Actual behavior

With one of the latest updates (I think 4.4.3), config.js had a change around session store:

store: { $type: 'memory', ttl: 86400000 }

With this, the behaviour is really weird now.
If I login without remember me, I get logged out everytime I re-deploy. Which is how NodeJS has been working since day 1.
But now, if I login with remember me = 1, on re-deployment, user still stays login. But, any session that might have been set using SET SESSION steps, are cleared out.

patrick · February 7, 2022, 1:24pm

The remember me has nothing to do with sessions. Sessions are always temporary, data stored in session will be lost after a restart or when the session times out. The remember me stores the user credentials in a cookie in the client browser, the browser sends this cookie with every request, when the session for the logged in user is not set it will login the user with the credentials send with the cookie.

sid · February 7, 2022, 2:29pm

So all session variables are deleted just like before on restart, and only the cookie-based-remember-me option has been fixed/enabled from before - so that login session get created automatically?

patrick · February 24, 2022, 3:24pm

This is normal behavior, in memory sessions get lost when the server restarts, use persistent session like redis to prevent session from being deleted on server restart.

sid · February 24, 2022, 5:12pm

But this was not the behaviour up until a few releases.
This was not highlighted in any of the changes lists either.
Its a breaking change.

Not sure if you guys didn't catch it, but it would be good to post about this as a separate topic.

As for the current state of things, is there any option where I can disable this functionality or do I have to edit the core file and maintain it after every release?
Using redis not an option (using Caprover, so no idea how to set that up).

George · February 24, 2022, 6:12pm

Actually this is not changed since the first NodeJS integration in Wappler.

If you use memory sessions store - it will get reset on each server restart. That is how it have always worked.

Of course if you have chosen to store the login, a cookie is saved so you will be auto logged in.

And for persistent session storage you can use Redis indeed.

sid · February 25, 2022, 10:42am

You are gravely mistaken George.
This change was made in one the recent releases and it has NOT been so since day 1.

This is what the original session setup looked like since day one in config.js:

session: {
        name: package.name + '.sid',
        resave: false,
        saveUninitialized: false
    },

With this, no matter if ‘remember me’ was selected or not, every server restart would mean all session would get destroyed.

And this is what I could find in one of my commits for version 4.5.1 update where a new line was added:

session: {
    name: package.name + '.sid',
    resave: false,
    saveUninitialized: false,
    store: {
      $type: 'memory', ttl: 86400000
    }
  },

This is where the problems started - when ‘remember me’ is selected, and server restarts, all other session except login session survives.

So yes, this is a breaking change!

sid · January 18, 2023, 4:52am

Experiencing this problem again.
In the earlier project, we had put in extra conditions to check if session values are not found, logout the user.
But now in another application, we are seeing the same problem.

Wappler 5.3.1
NodeJS, PostgreSQL/MariaDB
Server Connect Settings > Sessions > Session Store = database; TTL = 86400

In the global security provider, cookie settings is set to expire in 30 days. And remember me is 1 in security login.
Now, when a user logs in, and accesses the website a couple of days later, they are still logged in, which is correct - but all the session values that were saved for the user are not longer there. So, while using the app, they experience random errors.

@patrick Please help.

sid · January 24, 2023, 5:16am

Bump.

sid · January 27, 2023, 6:54am

Bump. Please help.

patrick · January 27, 2023, 9:04am

Sessions expire after a specific time of inactivity, this is the default behavior for sessions on servers. The TTL is the Time to Live for the session, in the settings you give TTL = 86400 it is set to 1 day, so after 1 day of inactivity the session will be destroyed.

sid · January 27, 2023, 12:48pm

But its not actually destroyed.
I remain logged in and only the session values other than login session ID are destroyed.

sid · May 8, 2023, 6:17am

@patrick Need your help to figure this out. Its still causing problems in almost all our apps.

Here’s how my setup looks like:

I have a DB based security provider with cookie set to expire in 7 days.
In the SA/API settings, the sessions store is set as DB as well, with session TTL set to 604800 = 7 days.
When the user logs in, I store their user information in server session using set session step.
This data is used in various SAs via get session step, as required.

Problem:

Once a user logs in, things work fine. Session variable are retrieved correctly.
After few hours or a day (haven’t recorded exact time), when I open the app, the user information from session is gone BUT I remain logged in.

Requirement:

How to ensure that server side session values remain on the server for 7 days = security provider cookie value = session store value?

Redis is not in use. Remember is set to 1.

sid · May 10, 2023, 4:43am

Another bump.

patrick · May 10, 2023, 10:36am

Check the file app/config/config.json.

There should be the config for the session and looks like:

"session": {
  "store": {
    "$type": "database",
    "knex": "db",
    "ttl": "604800"
  }
}

Change it to:

"session": {
  "store": {
    "$type": "database",
    "knex": "db",
    "ttl": "604800"
  },
  "maxAge": 604800
}

let me know if that helps and fixes your issue.

sid · May 10, 2023, 11:10am

Thanks. Have just deployed this change. Will let you know how it goes.

patrick · May 10, 2023, 3:07pm

After some investigation the config should be different. You can inspect the session cookie with devtools, it is located under the Application tab. Check the Expires date of the cookie if it set to the correct date and not set to Session.

correct config code should be:

"session": {
  "store": {
    "$type": "database",
    "knex": "db",
    "ttl": "604800"
  },
  "cookie": {
    "maxAge": 604800000
  }
}

The maxAge should be placed under cookie and is in milliseconds.