It could be nice of passport.js not to litter in the session

[iliakan]

In initialize.js:

    } else if (req.session) {
      // initialize new session
      req.session[passport._key] = {};
      req._passport.session = req.session[passport._key];
    } else {

The problem is: it writes to req.session even if there's nothing to write.
For projects that don't write empty sessions to DB, that hurts a little bit, cause passport.js makes sesson 'dirty' even if there's nothing to write in it.

Right now I workaround this by a one more middleware wrapper around passport.initialize, which checks for an empty session.passport and deletes it.

But it could be nice of passport.js to remove that empty session.passport as it is actually a litter in the session.

P.S. Added PR

[timewarrior]

I am facing this too. Any chance this could be fixed :)

[jhicken]

Wow no kidding. I just looked at my sessions 73,000 unused sessions.

[Joris-van-der-Wel]

This issue breaks the saveUninitialized: false option in express-session. I need this option to comply with national privacy laws.
It would be great to have this resolved

[ghost]

+99 👍

[ghost]

@iliakan I tried creating a middleware function to do the same thing (since I don't want to fork passport at the moment) using the code in your PR. It works wonderfully, except when I'm trying to get a user logged in. It seems to always clean up the session object because it's always empty. Any suggestions?

app.use(passport.initialize());
app.use(passport.session());

app.use(function cleanupPassport(req, res, next) {
    if(Object.keys(req.session[passport._key]).length == 0) {
        delete req.session[passport._key];
    }
    next();
});

EDIT: The problem was that it deleted req.session.passport early in the middleware stack, but the authentication happened later on my /login route. I solved it by adding an if statement ignoring the delete operation if it's on my login route.

[iliakan]

That's what I'm using:

  app.use(function* cleanEmptySessionPassport(next) {
    yield* next;
    if (Object.keys(this.session.passport).length === 0) {
      delete this.session.passport;
    }
  });

P.S. That's for Koa.JS

[Joris-van-der-Wel]

Here's my version:

var onHeaders = require('on-headers');

app.use(expressSession(...));

app.use(function cleanupPassportSession(req, res, next)
{
    // hook me in right AFTER express-session
    onHeaders(res, function()
    {
        if (Object.keys(req.session.passport).length === 0)
        {
            delete req.session.passport;
        }
    });

    next();
});

on-headers is what express-session uses. Using this method the passport key will be cleared right before express-session determines if it should write a cookie (aka as late as possible).

[ashelley]

Nice, I wish i noticed this thread before... I changed passport to not initialize the session at all here but I like your solution until something gets pulled into the official package... thank you,

#320

[wesleytodd]

I packaged up my solution to this problem, it is a hack, but it does the trick: https://github.com/wesleytodd/express-session-passport-cleanup

I will maintain this at least until this gets merged if anyone wants to use it. It is similar to what @Joris-van-der-Wel did above, but using the res.end override.

[benheymink]

@jaredhanson Any thoughts on this?

[benheymink]

I've fixed this slightly differently, by checking for empty objects in express before setting the cookie. inside index.js in express-session I've added the following check to the onHeaders handler:

  // Delete any empty data blobs on the session (*cough* Passport *cough*)
  //
  Object.keys(req.session).forEach(function(element, index, array){
    if(typeof req.session[element] === 'object' && Object.keys(req.session[element]).length === 0){
      delete req.session[element];
    }
  });

[wesleytodd]

The main benefit of the package I linked to is that it doesn't require any modifications to the other packages and you can just delete the module when it is fixed without any other changes. But the real solution is here, in this package. Anyone have an ETA on this?

[jaredhanson]

Fixed by merging #320. Published to npm as passport 0.3.0.