I have just completed my signup auth with passport.js but I kept on getting error when I was trying to use the login auth

Error: Failed to serialize user into session

This was my post route :


        if (req.user) {
            console.log("Logged In!")
        } else {
            console.log("Not logged in!")


I saw a comment on stackoverflow that says we need to do:

app.post('/login', passport.authenticate('local', {
  successRedirect: '/accessed',
  failureRedirect: '/access',
  session: false

In the login route.

Using the code above does solve the error message.Maybe this is my poor understanding of passport authentication but isn't the point of going through the login to store the user info in the session. If we set session to false how do we store the user info?

2 Answers

Kunvar Singh On

Try Below :

Please make sure you use newest version of passport (which is 0.2.1 for today).

Please try passing { session: false } as a second parameter of your req.logIn() function:

app.get('/login', function (req, res, next) {
  passport.authenticate('local', function (err, user, info) {
    if (err) { return next(err); }
    if (!user) { return res.redirect('/login'); }

    req.logIn(user, { session: false }, function (err) {

      // Should not cause any errors

      if (err) { return next(err); }
      return res.redirect('/users/' + user.username);
  })(req, res, next);

Open this below link for more : PassportJS - Custom Callback and set Session to false

Shobhit Chittora On

This is taken from the docs of passport.js.

Disable Sessions

After successful authentication, Passport will establish a persistent login session. This is useful for the common scenario of users accessing a web application via a browser. However, in some cases, session support is not necessary. For example, API servers typically require credentials to be supplied with each request. When this is the case, session support can be safely disabled by setting the session option to false.

So basically, the difference is that for clients such as browsers, you usually want to have session persistence. For cases when you're calling internal APIs and don't really need persistence, you disable sessions.