jaredhanson · tsunamyh · Sep 5, 2022
diff --git a/lib/sessionmanager.js b/lib/sessionmanager.js
@@ -25,33 +25,52 @@ SessionManager.prototype.logIn = function(req, user, options, cb) {
 
   // regenerate the session, which is good practice to help
   // guard against forms of session fixation
-  req.session.regenerate(function(err) {
-    if (err) {
-      return cb(err);
-    }
-
+  if (req.sessionID) {
+    req.session.regenerate(function(err) {
+      if (err) {
+        return cb(err);
+      };
+
+      self._serializeUser(user, req, function(err, obj) {
+        if (err) {
+          return cb(err);
+        }
+        if (options.keepSessionInfo) {
+          merge(req.session, prevSession);
+        }
+        if (!req.session[self._key]) {
+          req.session[self._key] = {};
+        }
+        // store user information in session, typically a user id
+        req.session[self._key].user = obj;
+        // save the session before redirection to ensure page
+        // load does not happen before session is saved
+        req.session.save(function(err) {
+          if (err) {
+            return cb(err);
+          }
+          cb();
+        });
+      });
+    });
+  } else {
+    // To work cookie-session
     self._serializeUser(user, req, function(err, obj) {
       if (err) {
         return cb(err);
       }
+      req.session = {}
+
       if (options.keepSessionInfo) {
         merge(req.session, prevSession);
-      }
+      };
       if (!req.session[self._key]) {
         req.session[self._key] = {};
-      }
-      // store user information in session, typically a user id
+      };
       req.session[self._key].user = obj;
-      // save the session before redirection to ensure page
-      // load does not happen before session is saved
-      req.session.save(function(err) {
-        if (err) {
-          return cb(err);
-        }
-        cb();
-      });
+      cb();
     });
-  });
+  }
 }
 
 SessionManager.prototype.logOut = function(req, options, cb) {
@@ -68,28 +87,38 @@ SessionManager.prototype.logOut = function(req, options, cb) {
   // clear the user from the session object and save.
   // this will ensure that re-using the old session id
   // does not have a logged in user
-  if (req.session[this._key]) {
-    delete req.session[this._key].user;
+  if (req.session[self._key]) {
+    delete req.session[self._key].user;
   }
   var prevSession = req.session;
 
-  req.session.save(function(err) {
-    if (err) {
-      return cb(err)
-    }
-
-    // regenerate the session, which is good practice to help
-    // guard against forms of session fixation
-    req.session.regenerate(function(err) {
+  if (req.sessionID) {
+    req.session.save(function(err) {
       if (err) {
         return cb(err);
-      }
-      if (options.keepSessionInfo) {
-        merge(req.session, prevSession);
-      }
-      cb();
+      };
+
+      // regenerate the session, which is good practice to help
+      // guard against forms of session fixation
+      req.session.regenerate(function(err) {
+        if (err) {
+          return cb(err);
+        }
+        if (options.keepSessionInfo) {
+          merge(req.session, prevSession);
+        }
+        cb();
+      });
     });
-  });
+  } else {
+    // to work cookie-session
+    req.session = null;
+    if (options.keepSessionInfo) {
+      req.session = {}
+      merge(req.session, prevSession);
+    }
+    cb();
+  } 
 }