Unexpected Behavior when working with express-session

[brandon-hedrick]

I'm working on a project with Express and socket.io where I'm attempting to create a websocket-only server. I'd like to create an express-session to store a small amount of information about the user and facilitate re-identifying them in the event of a disconnection. I'm following the guide for usage with express-session but the behavior I'm seeing is unexpected.

Expected behavior

• When a client connects to the socket.io endpoint a session is created if they do not have one. This is stored in the session store (in my case a memory store)
• A session cookie is set via a set-cookie header in the response of the socket.io connection storing the cookie in the user's browser.
• The session object is available by accessing socket.request.session

Observed behavior

• When a client connects to the socket.io endpoint, a session is created and stored in the memory store.
• A session cookie is NOT set via a set-cookie header in the response of the socket.io connection. In fact no set-cookie header is present whatsoever. This prevents the session from realistically being used.
• The session object is available by accessing socket.request.session however a new session is created on every event negating the usefulness of storing anything in it. I believe this behavior is somewhat expected considering the client has no cookie to send back since the above misbehaves.

Express/Session/Socketio code

import express from "express";
import * as http from "http";
import { Server, Socket } from "socket.io";
import session from "express-session";
const MemoryStore = require("memorystore")(session);
const MemoryStoreInstance = new MemoryStore({
  checkPeriod: 86400000, // prune expired entries every 24h
});
const COOKIE_SECRET = "secret";
const COOKIE_NAME = "sess";
const port = process.env.PORT || 4000;

const app = express();
const server = http.createServer(app);
const io = new Server(server, {
  cors: {
    origin: "http://localhost:3000", // my local client webserver
    methods: ["GET", "POST"],
    credentials: true,
  },
});

const sessionMiddleware = session({
  name: COOKIE_NAME,
  store: MemoryStoreInstance,
  secret: COOKIE_SECRET,
  saveUninitialized: true,
  resave: true,
  cookie: {
    path: "/",
    httpOnly: true,
    secure: false,
    maxAge: 86400000
  },
});
app.use(sessionMiddleware);

io.use((socket, next) => {
  sessionMiddleware(socket.request, {}, next);
});

// other code here...

server.listen(port, () => console.log(`Listening on port ${port}`));

Client code

import { io } from "socket.io-client";

const ENDPOINT = "http://127.0.0.1:4000";
const socket = io(ENDPOINT, { withCredentials: true });

FWIW I get the same results in Node 12 and 14. My client always successfully connects.

I've spent some time trying to figure out exactly what is wrong but I haven't arrived at anything and I've hit the wall thinking I must have done something wrong or misunderstood the documentation. I'm happy to create a quick repository if that would be more helpful. Thanks in advance!