req.login redirect is done before the user info is saved in the session

[franckl]

I have a simple login page with local auth and custom callback.
When the login is successful, I redirect the user to the main page and check if (req.isAuthenticated()) is true.
50% of the time, req.isAuthenticated() returns false. It seems that the redirect is happening before the session information is updated. It didn't notice this issue when I was using the standard local auth options without custom callback.

Any idea ?

    self.app.post('/login', function (req, res, next) {
        passport.authenticate('local', function (err, user, info) {
            if (err) {
                return next(err);
            }

            var sanitizedEmail = validator.escape(req.body.username);
            if (!user) {
                req.flash('error', 'Wrong email or password');
                req.flash('emailL', sanitizedEmail);
                return res.redirect('/login');
            }
                req.logIn(user, function (err) {
                    if (err) {
                        return next(err);
                    }
                        return res.redirect('/main/');
                });
        })(req, res, next);
    });

[chriswininger]

Yeah I've seen this same issue. There is a workaround posted in this ticket #306

Basically they suggest saving the session manually and waiting for the save callback before hitting your redirect, that is what we are now doing, but I can't say I love that solution. Anyone more familiar with the passport code know of a better way to address this? Is there a second callback or event we can listen for. Should not req.logIn wait for the session save to finish before hitting the callback? Thoughts?

[rhzs]

@franck34 I have the same issue too here. +1

[saiichihashimoto]

Lol, issue 401

[mckenzieja]

Still an issue for me. Cannot find a fix for it. Implementing the hack.

@jaredhanson

[strong0588]

I do have a similar problem of req.user not being saved properly on the redis database.
Apart from doing req.session.save, what works for me is to set saveUninitialized to false.

The reason behind the problem is user send more than 1 requests almost at the same time to my api server, one for authentication/login and the others for retrieving data. As a result, more than 1 cookie is being set on the client side. When the client send subsequent requests to the server, the server somehow parse one of the cookies which does not contain the user info in the session store.