Setting { session: false } doesn't seem to work

[yizhao]

I have a node/express webapp with session setup. I use connect-mongo to store the sessions in mongodb, in a collection called 'sessions'. Hitting any rest endpoints on node/express seems to create/update an entry in the sessions collection.

Two questions:

1. I only enforce the local strategy on the /login endpoint. Why does a session get created every time an endpoint is hit? If the user isn't logged in, why does a session need to be created?
2. I implemented a new 'bearer' strategy. Configured it so session=false. passport.authenticate('bearer', { session: false }, function(err, user, info)

This still creates a session in the mongodb. Why is that?

[simonbs]

I have the same setup and get the exact same thing. Did you manage to find a solution to this, @yizhao?

[yizhao]

@simonbs we got around this issue by adding a piece of middleware in express before the session stuff which checks if user is logged in or about to log in, if not, don't do all this session business.

[etcetc]

I have the same issue. The documentation specifies that one can set session:false and not establish a session, so is this then a bug?