Can't succeed persisting session across multiple APIs call performed between a Backbone App and Node.js Server with Express, Express-Session and Express-Cors. Looks like session is reinitialized/lost after every call.

Long version:

I'm having a client Backbone/React/Flux application running on localhost:3000 performing the following call on a Node.js server running on localhost:4242:

Http calls

POST http://localhost:4242/api/session

 Content-Type application/json; charset=utf-8
 Set-Cookie connect.sid=s%3AFeNYY5GQGvkyRvOym7DhysprePaQr7xP.BrxOPP56k9pDpxQPvwjDFaxkEYoHU%2FAEtNUIXGltqjI; Domain=http://localhost:3000; Path=/
 Vary Origin
 X-Powered-By Express
 access-control-allow-credentials   true
 access-control-allow-orign http://localhost:3000

 Accept application/json, text/javascript, */*; q=0.01
 Content-Type application/json; charset=utf-8
 Cookie connect.sid=s%3AjP4iADZvRnDHbJcCE8H81Zy6TIehj9BJ.eDOTw44GcHqq8i2dslBGd43tXMQ22ENl31fRizdC8iA
 Host localhost:4242
 Origin http://localhost:3000
 Referer http://localhost:3000/login

GET http://localhost:4242/api/users

 Content-Type application/json; charset=utf-8
 Set-Cookie connect.sid=s%3ARxf91_vLMBqzB6xN-0QFIIk_-SyBP9_8.F1Mr%2BVSkYNJ6MqnzO%2BsxxfwXRinIX6th80SoukG1QBM;Domain=http://localhost:3000; Path=/
 Vary Origin
 X-Powered-By Express
 access-control-allow-credentials   true
 access-control-allow-orign http://localhost:3000

 Accept application/json, text/javascript, */*; q=0.01
 Content-Type application/json; charset=utf-8
 Cookie connect.sid=s%3AjP4iADZvRnDHbJcCE8H81Zy6TIehj9BJ.eDOTw44GcHqq8i2dslBGd43tXMQ22ENl31fRizdC8iA
 Host localhost:4242
 Origin http://localhost:3000
 Referer http://localhost:3000/login

Basically the first call POST /api/session is logging-in the user and attempting to store an API token in the session. Second call GET /api/users is triggered right after the first one succeed, and retrieving user information.

Backbone method

Here's my Backbone method on the Session model for logging-in :

  login: (options) ->
    @set {user: options.user, password: options.password}
    @save ['user', 'password'],
      success: (data) =>
        @set({authenticated: true, accessToken: data.accessToken, password: null})
        options.success(data) # trigger the second call here
      error: (error) =>

And the call to /api/users in my UserStore

users: (options) ->
    success: (users) =>
      @users = users

Using those different options (I've overridden Backbone.sync in Backbone.Collection/Backbone.Model):

class UsersCollection extends Backbone.Collection

  url: '/api/users'
  model: UserModel

  sync: (method, model, options) ->
    options ?= {}
    options.url ?= @url
    options.dataType ?= 'json'
    options.contentType ?= "application/json; charset=utf-8"
    options.crossDomain ?= true
    options.xhrFields ?= {"withCredentials": true}
    super(method, model, options)

(Simplified version: same thing for both Models and Collection, using BaseCollection and BaseModel, where I am overridding the sync() method).

So that Console.log(options) in Backbone.sync(method, model, options) is returning :

{"url":"http://localhost:4242/api/session","dataType":"json","contentType":"application/json; charset=utf-8","crossDomain":true,"validate":true,"parse":true,"xhrFields":{"withCredentials":true}} 

Node.js setup and methods

Here's my Node.js router setting-up Express :

BodyParser = require 'body-parser'
Session = require 'express-session'
Cors = require 'cors'

class Router

  constructor: (express) ->
    @express = express
    @express.use BodyParser.json()
    @express.use Cors(@corsConfig())
    @express.use Session(@sessionConfig())
    # Express routes are set here
    # @express.post '/api/session', (request, response) => [...]
    # @express.get '/api/users', (request, response) => [...]

  corsConfig: ->
    origin: 'http://localhost:3000'
    credentials: true

  sessionConfig: ->
    secret: 'whatever'
      secure: false
      httpOnly: false
      domain: 'http://localhost:3000'

Here's my Node.js method handling POST /api/session

  login: (request, response) ->
    session = request.session
    console.log JSON.stringify(session)
    console.log request.sessionID
    console.log '---------------------------------------------'
    if session.accessToken
      console.log 'session with token!'
      response.json {accessToken: session.accessToken}
      console.log 'performing credentialAuthentication'
      user = request.body.user
      password = request.body.password
        user: user
        password: password
        success: (accessToken) ->
          request.session.accessToken = accessToken
          console.log JSON.stringify(session)
          console.log request.sessionID
          console.log '---------------------------------------------!!!'
          response.json {accessToken: accessToken}
          # also tried with response.send()

And the one handling GET /api/users

  @express.get '/api/users', (request, response) =>
    console.log JSON.stringify(request.session)
    console.log request.sessionID
    console.log '---------------------------------------------'

Node.js Log

Here's the log:

  express:router dispatching OPTIONS /api/session
  express:router dispatching POST /api/session
performing credentialAuthentication
  express:router dispatching GET /api/users

As you can see the CORS request is performing normally, I am properly getting my token and then attempting to store it within the session.

However in the second call the session isn't persisted and I can't access the variable (accessToken) that I am actually setting in my first call.

Looking at the log and at the HTTP Headers of the two call, it looks like the session is reinitialized each time, as the session ID is changing and each request - and there is a Set-Request header sent every time (which shouldn't be the case, as far as I understand).

I suspect this behavior is caused by some incoherent or missing configuration at the CORS level, or due to the path set for Sessions (Express.use(path, middleware), and Cookie({path: '/'})). However, despite many attempt with different configuration, setup and headers, I really can't make it work.

Anyone able to enlighten me on this behavior and what I am missing is very welcome :)
Thank you!

PS: My apologies to the non-CoffeeScript developers ;)

  • How are you calling `GET /api/users`, and with what options..? – T J Nov 30 '15 at 14:38
  • BTW Are you adding the session middleware before both `POST` and `GET` handlers..? or are you using default in memory session store..? In case you happen to restart the server between these requests then new session will be created...I Know the probability is very less but in case if it helps :v – T J Nov 30 '15 at 17:50
  • Well, I am setting the Session middleware in my Router class, and only then setting the express routes. Also tried to setup the Session middleware per express route, but of course it doesn't change anything :( Session should be stored in-memory, and of course I am not expecting the server to persist them if restarted; The two calls are performed in the same instance, right after each other, as you can see in the code. – nakwa Dec 01 '15 at 09:51
  • For cookies to works over CORS the browser must support 3rd party cookies. Many browsers today blocking it. – Aminadav Glickshtein Dec 06 '15 at 06:49
  • I am testing using the latest version of Firefox and Chrome; both support 3rd party cookies... – nakwa Dec 07 '15 at 10:34

1 Answers1


Here's the answer (simple one): I had misconfigured my Session middleware; The cookie.domain options was causing the problem. Here's the proper configuration :

sessionConfig: ->
  secret: 'whatever'
    secure: false
    httpOnly: false

This option isn't required/existing (anymore?) with the express/session middleware; Not sure why I originally used it, probably something from an outdated reference (to express/cookie-parser or express/cors).

  • Hi, I am doing API call from my node js application to spring security application. I am getting ``Could not verify the provided CSRF token because your session was not found``. How can i solve this issue? I have tried to pass the ``X-XSRF-TOKEN`` in header but it seems i have to pass the session as well of existing request. Any idea? – Jayesh Dhandha Aug 17 '18 at 13:00