amazon-web-servicespassport.jsexpress-sessionsticky-sessioncookie-session

auth0+passport.js too many redirects with more than 1 instance

Infrastructure:

cloud: aws beanstalk turn on nginx for container proxy server application load balancer - https only, default process (https) 2+ instance in private subnet enabled end to end encryption following https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-docker.html

self-signed certificate on instance instance running docker

In local, we have a 3 container to mimic the infrastructure,

1 nginx: 443 as load balancer and https reverse proxy 2 app container: 3000:3000, 3001:3001 respectively so, not end to end encryption yet

software: autho passport (https://github.com/auth0/passport-auth0) express react cookie-session package

const sessionConfig = {
  name: 'sessionId',
  secret: uid.sync(18),
  secure: true,
  httpOnly: true,
  secureProxy: true,
  maxAge: 1800 * 1000
};

workflow: open website, click login link, it then redirect us to auth0 login page, after input username/passport, we click submit.

We are encountering "redirect too many times" when we have more than 1 instance running. The issue goes away if I turn on sticky session on the target group in aws.

We are seeing the same when trying on the local docker environment.

In this code,

 router.get('/callback', (req, res, next) => {
    authenticate('auth0', (authErr, user) => {
      if (authErr) {
        console.error(`Error authenticating user: ${authErr}`);
        return next(authErr);
      }
      if (!user) {
        console.info(`No user data, redirecting to login page`);
        return res.redirect('/login');
      }

The logic always hits - if (!user), and we are not sure why this happens with multiple instance, load balancer setup.

Update:

Sorry I am new to this,

I am wondering if I can use cookie-session instead of express-session since JWT is supposed to not storing information in server.

I am asking because I have read a few tutorial of passport and Auth0, and it also mentioned about expression-session only.

Since Auth0 is using JWT, could I use cookie-session? if so, what could I do wrong?

PS. Here is my session config:

const sessionConfig = {
  name: 'sessionId',
  domain: 'example.com',
  secret: uid.sync(18),
  secure: true,
  httpOnly: true,
  maxAge: 1800 * 1000
};

Please advise and help. Thank you! Jay

Solution

  • The issue is resolved.

    It is because secret is random so a fixed secret was not shared between servers.