Setting a domain on the default connect.sid browser cookie in an express app

Question

OK so I have an express/mongo app that operates based on subdomains. I have read that it's possible to have a session ID cookie be available to subdomains by setting the domain of the cookie to .mydomain.com

That should work, but I can't figure out how to get that property into the default browser cookie (connect.sid).

I'm using express-session for sessions, connect-mongo for persisting the sessions, and of course cookie-parser to make that all work.

There seems to be a few different places where I might be able to set this property, but none of them seem to have any effect on the actual cookie I see in Chrome's dev tools. :(

Here's the app config block:

app.use(bodyParser());
app.use(methodOverride());
app.use(cookieParser('judy_has_cooties', { domain: '.' + app.settings.domainToUse })); 
app.use(express.static(__dirname + '/app'));
app.use(function(req, res, next) {
    res.header('Access-Control-Allow-Credentials', true);
    res.header('Access-Control-Allow-Origin', '*');
    res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
    res.header('Access-Control-Allow-Headers', 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept');
    next();
});   
app.use(session({
    secret: app.config.secret,
    cookie: { 
        domain: '.' + app.settings.domainToUse, 
        path: '/', 
        httpOnly: true, 
        secure: false, 
        maxAge: null 
    },
    store: new MongoStore({url: app.config.db }, function(err){
        console.log('session store is up.');
    })
}));
app.use(subdomain({ 
    base : app.settings.domainToUse + '', 
    removeWWW : true 
}));
//app.use(morgan());
app.set('port', process.env.PORT || 3000);
app.engine('html', require('ejs').renderFile);
app.set('views', __dirname + '/app/views');
app.set('view engine', 'html');
app.server = require('http').createServer(app);

mongoose.connect(app.config.db);

require('./config/configure-routes')();

// Start server
app.server.listen(app.get('port'), function(){
    console.log(">>>>> Node server is listening on port " + app.get('port'));
});

I don't get the connect.sid cookie in the browser until after I login, so I assume it's being done when I call sessionStore.set(). What I'm not clear on is what is setting the actual browser cookie. When I log out the req.session object from some route auth middleware I see all the correct settings, but the actual browser cookie doesn't reflect these settings.

Am I right in thinking that the session cookie is actually just in the session store on the server and not in the browser? And the connect.sid is just a handle to look up those cookies?

If so how can I add more data to the browser cookie to get it to persist between subdomains?

Thanks and sorry for possibly not understanding how sessions and cookie work together.

Answer 1

Ah! Ok I really hope this helps someone because I was banging my head agains the wall for 2 days.

So, apparently this was not an issue related to node, or my server config at all. It's purely a cookie problem.

Cookies it seems are super whiney about the patterns they receive in the domain= field. If something is not 1000% correct it will barf and just not set the cookie at all.

A domain with a port number like :3000 will not work and localhost will not work with the .localhost formatting for enabling subdomains. It requires a . some place in the domain name in order to be valid.

To do this locally I had to get into my local DNS settings and setup a .dev url to be redirected to localhost. Pain the ass! Here's a great link for that though if you're on OSX.

http://clintberry.com/2011/wildcard-sub-domains-on-osx-web-development-on-localhost/

Once that was setup then it worked like gangbusters!

Good luck padewan.