I'm trying to use a SERN stack to create a login/ registration system, using express-session to determine if the user logged in. The cookie is being saved into the browser, and is sent to the session store with the cookie being modified, but is unable to be accessed through other routes. Despite the cookie being present in the browser and store, it continues to generate new sessions in other API calls. The server is hosted on port 5000, while the react client is hosted on 3000. Clientside calls are made with axios, and are done with the withCredentials:true setting
db.js: `
const session=require("express-session");
const config={
connectionLimit:process.env.DB_CONNECTION_LIMIT,
host:process.env.DB_HOST,
user:process.env.DB_USER,
password:process.env.DB_PASSWORD,
database:process.env.DB_DATABASE
}
const db=mysql.createPool(config);
const SQLStore=require("express-mysql-session")(session);
const store=new SQLStore({
expiration:7*24*3600*1000,
createDatabaseTable:true,
schema:{
tableName:"Sessions",
columnNames:{
session_id:"session_id",
expires:"expires",
data:"session_data"
}
}
},db);
server.js
const express=require('express');
const app=express();
const cors=require('cors');
app.use(cors({
origin:"http://localhost:3000",
methods:["GET,POST"],
credentials:true
}));
const bodyParser = require('body-parser')
app.use(bodyParser.urlencoded({extended:true}));
app.use(bodyParser.json());
require('dotenv').config()
const dbExports=require('./databaseConnect');
const session=dbExports.session;
const store=dbExports.store;
const searchUserByInsertID=dbExports.searchUserByInsertID;
const searchUserByUsername=dbExports.searchUserByUsername;
const searchUserByUsernameAndEmail=dbExports.searchUserByUsernameAndEmail;
const createUser=dbExports.createUser;
const cookieParser=require("cookie-parser");
app.use(cookieParser());
app.use(session({
name:process.env.SESSION_NAME,
resave:false,
saveUninitialized:false,
store:store,
secret:process.env.SESSION_SECRET,
cookie:{
secure:false,
expires:14*24*60*60*1000
}
}))
const bcrypt=require('bcrypt');
const validator=require("email-validator")
require("./routes")(app,validator,bcrypt,searchUserByInsertID,searchUserByUsername,searchUserByUsernameAndEmail,createUser);
app.listen(5000,()=>{
console.log("listening on port 5000")
})
` Routes.js:
app.post('/login',async (req,res)=>{
const username=req.body.username;
const password=req.body.password;
const user=await searchUserByUsername(username);
if(!user.length){
console.log("username not found in db");
res.json({status:"usernameInvalid"});
}
else{
const dbHashedPassword=user[0].password;
if(await bcrypt.compare(password,dbHashedPassword)){
req.session.user=user[0];
req.session.save();
console.log(req.session);
res.json({status:"userValid"});
}
else{
console.log("wrong password");
res.json({status:"passwordInvalid"});
}
}
})
//once the user is redirected to a landing page after registering/logging in, this route is called, but returns undefined, and console logging the sessionid shows a different value than the one that is currently in the browser cookie/store.
app.get('/checkSession',async (req,res)=>{
console.log(req.session.user);
res.json({status:"hi"});
})
api call in react client:
Axios.defaults.withCredentials=true;
Axios.get('http://localhost:5000/checkSession').then((response)=>{
console.log(response.data);
}).catch((err)=>{
console.log(err);
})
session store also receives the session
I tried modifying session settings, but I was unable to continuously access the session through different routes. Once the client makes a subsequent request, despite having the session cookie present in browser, it is unable to be accessed by the server.
