javascript - Node.js & Express session problem

Question

I'm having a problem with sessions, where sometimes the session variable I just set is undefined on the next page request. I typically have to go through the flow again in order to properly set the variables.

I can confirm that I'm not trying to set the session variables to undefined; they have a legit value.

In my app, users move from /twitter/connect/ to /twitter/callback/. The former retreives some oauth data from twitter, the latter logs the user into twitter.

/twitter/connect/ is simple:

app.get('/twitter/connect/?', function(req, res){
    consumer().getOAuthRequestToken(function(error, oauthToken, oauthTokenSecret, results){
        if (error){
            // error handling here
        } else {
            req.session.oauthRequestToken = oauthToken;
            req.session.oauthRequestTokenSecret = oauthTokenSecret;

            // if I console.log the two session variables above
            // they have the proper values.

            res.redirect("https://twitter.com/oauth/authorize?oauth_token="+req.session.oauthRequestToken);      
        }
    });
});

After that, twitter sends them back to /twitter/callback/:

app.get('/twitter/callback/?', function(req, res){
    console.log(req.session.oauthRequestToken);
    console.log(req.session.oauthRequestTokenSecret);

    // more often than not, the two variables above are
    // undefined.  but not always.  usually on the first
    // pass, never on the second.
});

I have no idea what's going on, I can confirm that the session variables are being set properly, they just aren't holding their value in between page requests, but only the first time.

This is how I'm creating my server:

app.configure('development', function(){
    app.use(express.cookieParser());
    app.use(express.session({ secret:'yodawgyo' }));
    app.use(express.errorHandler({ dumpExceptions: true, showStack: true }));
    app.use(express.logger());
    app.use(express.static(__dirname + '/public'));
    app.set('view engine', 'ejs');
    app.set('view options', {
        open: '{{',
        close: '}}'
    });
});

I just have a dev environment for now. I have Node 0.5.0-pre installed, but saw this issue on 0.4.1 as well. I'm using express 2.3.2.

Any help is much appreciated.

Answer 1

In Connect's session, any handler can set req.session.anything to any value, and Connect will store the value when your handler calls end(). This is dangerous if there are multiple requests in flight at the same time; when they finish, one session value will clobber the other. This is the consequence of having such a simple session API (or see the session source directly), which has no support to atomically get-and-set session properties.

The workaround is to try to give the session middleware as few of the requests as necessary. Here are some tips:

1. Put your express.static handler above the session middleware.
2. If you can't move up some handlers that don't need the session, you can also configure the session middleware to ignore any paths that don't use req.session by saying express.session.ignore.push('/individual/path').
3. If any handler doesn't write to the session (maybe it only reads from the session), set req.session = null; before calling res.end();. Then it won't be re-saved.

If only one request does a read-modify-write to the session at a time, clobbering will be less likely. I hope that in the future, Connect will have a more precise session middleware, but of course the API will be more complicated than what we have now.