Duplicate Session Tokens for Users, Not Overwriting Sessions

[haroot]

Issue Description

Duplicate Session Tokens for Same User Pointer

Steps to reproduce

New to Company/Codebase not my codebase otherwise i'd be able to fix it and would have used my own framework I already have written.

Expected Results

Users login and have their Session (passport.js) token expire accordingly or get deleted/overwritten

Actual Outcome

Multiple Sessions and not Overwriting

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : 2.7.1
  • Operating System: Linux
  • Hardware: Heroku (heroku-16)
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): Heroku (Which is ran off of AWS apparently)

• Database

  • MongoDB version: 3.2.18
  • Storage engine: Wired Tiger
  • Hardware: [FILL THIS OUT]
  • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): Compose.com (IBM owned, ran off of AWS again LOL)

Logs/Trace

Jul 19 15:07:04 prod app/web.1: error: Error generating response. ParseError { code: 101, message: 'Invalid username/password.' } code=101, message=Invalid username/password.
Jul 19 15:07:04 prod app/web.1: error: Invalid username/password. code=101, message=Invalid username/password.
Jul 19 15:06:58 prod app/web.1: info: Ran cloud function getParseUserForEmail for user undefined with:
Jul 19 15:15:01 prod app/web.1: error: invalid session token code=209, message=invalid session token
Jul 19 15:15:01 prod app/web.1: error: invalid session token code=209, message=invalid session token
Jul 19 15:15:01 prod app/web.1: error: invalid session token code=209, message=invalid session token

[flovilmart]

This has been fixed in the latests parse server versions, and sessions are properly destroyed for the same installation id.

Also I’m not sure what passeport has to do with this.

[haroot]

Passport is what I used to Authenticate, and hence create session entries/cookies for my own backend/framework I created. I did have some issues with sessions piling up but was able to manually code a fix.

[flovilmart]

So... I’m not sure if the issue is with this project or your code then.

[haroot]

THis is not my code, my implementation of Passport.js worked fine ...

[flovilmart]

I also want to point out that sessions are unique per user/installationId pair. In your screenshot, all installationIds are different, so it makes sense a different session is created For each different installationId.

You can think of a session as the user being logged in on a device, the session table let the user review it’s logged in sessions. From what I can see, all is valid.

[haroot]

ok thanks than its very likely the bug since its version 2.7.1 . But our users don't log in from different devices, they do iOS phone or Android thats it. We have no web login, just 2 apps. When was the bug patched? since what version?

[flovilmart]

I mean that the sessions are created with the installationId and as you show in your table, all sessions have different installationId which is expected. If the bug was still there, you would see many sessions for the same installationId.

Yet, you have many sessions for a single user which points to some code that would create sessions from the server, like calling Parse.User.logIn from a server or cloud code as the installtionId is always different. Would it be the same it may point to an issue with your login process in the apps.

Also, are you able to isolate logs when running with VERBOSE=1 when this issue is shown? Can you post such logs so we can see the issue ?

[haroot]

Ah I see, but its still illogical to me to store too much data in a table, and this is mongoDB obv, I used PostGres. Will enable VERBOSE=1 saw it in a different post you mentioned and post it up thank you.
so verbose: true, In the parse constructor call

[flovilmart]

store too much data

The session is created because at one point, one should be created.

If your users have many devices and multiple web browsers, the session table let them disconnect them all individually. Sessions represent a user logged in on a particular device. You should triple check your code for calls to logIn.

[haroot]

Yah I personally think its a login call issue in iOS which there was a thread on here about with similar errors. Because each user doesnt have multiple devices , usually a phone. at most tablet and a phone.