I'm a little more then stuck at the moment. Been spending the better part of 3 days trying to figure out this little issue which I'm hoping is just a simple mistake.
The issue at hand is I cannot get sessions to share between example.com and b.example.com. I am using AWS and currently using SSL. I must of tried all the solutions that people say will fix the issue from using CORS, leading the domain with a '.'(believe this is outdated and not needed now), to anything else I can read online. This made me beleive it was some of my other code so I commented it all out and sadly still can't get it to work. I test to see if the session is shared by printing out the SessionID in some middleware and visiting the subdomain and domain then checking the logs. For the subdomain I 'host' it on vhost I'll post my code below. Thank you in advance and if you need any other information I'll try to post it as fast as possible.
main app.js
var express = require('express');
var app = express();
var vhost = require('vhost');
var mongoose = require('mongoose');
var bodyParser = require('body-parser');
var helmet = require('helmet');
var flash = require('req-flash');
var cors = require('cors');
var session = require('express-session');
var favicon = require('serve-favicon');
var MongoStore = require('connect-mongo')(session);
var middlewares = require("./app/middlewares/middleware.js");
var controllerLogic = require('./app/controllers/logic/controllerLogic.js');
//app.set('views', express.static(__dirname + '/views'));
app.set('view engine', 'ejs');
app.set('trust proxy', 1);
mongoose.connect(process.env.MONGOOSE_CONNECT);
var db = mongoose.connection;
db.on('error', console.error.bind(console, 'connection error:'));
db.once('open', function() {
console.log("MONGODB connected");
});
app.use(helmet());
app.use(favicon('./public/img/favicon.png'));
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(express.static(__dirname + '/public'));
app.use(session({
name: 'exampleSession',
genid: function(req) {
return require('crypto').randomBytes(48).toString('hex');
},
rolling: true,
secret: process.env.COOKIE_SESS_SECRET,
resave: false,
saveUninitialized: false,
domain: 'example.co',
cookie: {
test: 'help',
secure: true,
maxAge: 270000,
httpOnly: true //http://expressjs.com/en/advanced/best-practice-security.html
},
store: new MongoStore({ mongooseConnection: mongoose.connection })
}));
app.use(middlewares.prettifyDomain);
app.use(flash());
app.use(controllerLogic.flashAll);
app.use(vhost('b.example.co', require('./libs/vhost/b.app.js').app));
app.get('/ping', function (req, res) {
res.send('successfuly pinged(kinda)!');
});
require('./app/controllers/routes/boards.js')(app);
require('./app/controllers/routes/user.js')(app);
require('./app/controllers/routes/main.js')(app);
app.listen(process.env.PORT || 80);
subdomain vhost file
var express = require('express');
var app = express();
var router = express.Router();
var middlewares = require("./../../app/middlewares/middleware.js");
require('./../../app/controllers/router/routes.js')(router);
app.use(router);
exports.app = app;
If it should be working as it is I'll try to do more testing when I get back home and post what I found if any. Again thank you!
Edit: It seems like vhost creates a new session each time I refresh on the subdomain. I moved to express-subdomain. When I did this a cookie appeared on the subdomain when on vhost there was none. The SessionId is still different between subdomain and the main domain but now the subdomain doesn't have a new SessionID each request. The change looks like this...
app.use(subdomain('b', router));
require('./app/controllers/router/routes.js')(router);
//above replaced the code below.
//require('./libs/vhost/b.app.js').app;
//app.use(vhost('b.example.co', require('./libs/vhost/b.app.js').app));
Figured out my problem and was most likely due to me looking to fast at other solutions people posted.
The issue was I had the domain outside of the cookie so it wasn't going to my domain to the subdomain. Once I put
inside
it fixed the issue. Also note I thought I needed to use cors but I removed them and it still worked. Hope this helps if you have the same issue!