NodeJs express-session don´t save the session

Question

I´ve a problem by saving something in the session above a NodeJs Script. If I start the script and making a post login like this:

app.post('/login', function(req, res) {
   sess = req.session;
   sess.key = "SecureKEy";
   console.log(sess);
});

I got as rusult that what I want:

Session { cookie: { path: '/', _expires: null, originalMaxAge: null, httpOnly: true }, key: 'SecureKEy' }

But if I reload the page with this code the session.key is empty. Just like it´s not saved.

app.get('/', function(req, res) {
   sess = req.session;
   console.log(sess);
   res.sendFile(__dirname+'/wwwroot/index.html');
});

My configuration for the express-session is this:

const session = require('express-session');
app.use(session({
   secret: 'importent',
   resave: true,
   saveUninitialized: true
}));

Answer 1

express-session auto-save edge cases?

The express-session save(...) method is certainly not triggered for some express response transport methods. It seems to trigger consistently for the frequently encountered ones such as response.send(...), response.json(...) etc.

But same is not the case for the special case transport method such as the express.response.end() method - from my observation at least; and also response.sendFile(...) according to the OP and response.redirect(...) according to posts elsewhere.

To avoid unforeseen issue, pay close attention when applying express-session to requests where special case response transport methods were used. The express-session save(...) method may have to be called directly to persist changes made during those requests. Even then, there is no guarantee that persistence would take place.

For example, there are occasions where setting values to null and/or calling the session.destroy(...) and/or session.regenerate(...) methods have no effect. Those destructed session data basically resurface on the next page refresh. Not even calling the save(...) method or setting the unset option to 'destroy' can remedy that situation.

The express-session readme should include these edge case scenarios in one of its Note sections at the top of the page. It would curb some of the headwinds surrounding its auto-save feature.

My philosophy to this type of thing is: when a package is too quirky for a use-case, either find a more suited package or just source your own solution if possible. Workarounds tend to warp application logic thereby making it error prone and difficult to maintain over time.

Answer 2

I´ve rewrite the code like this:

app.post('/login', function(req, res) {
   console.log("Before: ");
   console.log(sess);
   sess = req.session;
   sess.key = "SecureKEy";
   req.session.save();
   console.log("After: ");
   console.log(sess);
});

With that it work correctly. But if I would resend the logged in page with res.send the session would be automaticly saved? Is that correct?