I am serving all static content on my app through a subdomain.
However, my express app is still setting session cookies on the static content. I tried setting the path like this as per the docs:
app.use(express.session({
secret: 'your app secret',
cookie: {
domain : '.yourdomain.com'
},
store: new MongoStore({
db: 'db',
host: 'localhost',
port:config.dbPort
})
}));
but it still doesn't work for me. I also tried using 'path' :
cookie: {
path : '.yourdomain.com'
}
but even that doesn't prevent setting of cookies on static content.
Any ideas on how to remove cookies from all static content?
Request Headers
Accept:text/css,*/*;q=0.1
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Host:cdn.yourdomain.com
Referer:http://localhost:8888/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Response Headers
Cache-Control:public, max-age=86400
Connection:keep-alive
Content-Encoding:gzip
Content-Type:text/css; charset=UTF-8
Date:Mon, 28 May 2012 09:02:09 GMT
Last-Modified:Tue, 01 May 2012 03:57:45 GMT
Server:nginx
Set-Cookie:connect.sid=d9nEPGiAeSwGFUN2Ra8CGBmq.tPdTQdk7O2UUvO2q%2BEOG2%2Fgh%2FNEdIxtUZYdUN%2FtDmas; domain=www.yourdomain.com; path=/; expires=Mon, 28 May 2012 13:02:08 GMT; httpOnly
Transfer-Encoding:chunked
X-Cache:MISS
X-Edge-Id:353260802
The connect session middleware works this way. Cookies are set regardless of the current host. This is good from a performance point of view, but inherently causes issues like this.
I see two solutions for this issue:
Use Connect's Vhost middleware. IMO, this is the most straightforward solution. Just create a separate app for cdn.yourdomain.com without including the session middleware for it.
Create a wrapper around the session middleware in order to include it only for requests with the correct host. This is a pretty odd solution, and can disturb other middleware like CSRF.
Anyway, I would say that using Node.js for serving static assets may look like a strange idea. For this, web servers like Nginx are unbeatable in terms of performance and lightness. Requests for static requests should ideally not even reach Node.js.
--
FYI, code for the second solution could look like that (untested):
function hostAwareSessionMiddleware(options) {
var originalMiddleware = express.session(options);
if(!options.cookie || !options.cookie.domain) return originalMiddleware;
var domain = options.cookie.domain;
if(domain[0] === '.') domain = '(.+)\.' + domain.slice(1);
var regex = new RegExp('^' + domain.replace('.', '\\.') + '$', 'i');
return function(req, res, next) {
if(!req.headers.host) return next();
if(req.headers.host.match(regex)) {
return originalMiddleware(req, res, next);
}
next();
}
}
app.use(hostAwareSessionMiddleware({
secret: 'your app secret',
cookie: {
domain : 'yourdomain.com'
},
store: new MongoStore({
db: 'db',
host: 'localhost',
port:config.dbPort
}
}));