Currently when running Login Server, the cookie is set for the base domain and path /. This means that if there are two parallel instances of Login Server on the same domain (let's say under /login-test1/ and /login-test2/), they will override each other's cookie and simply opening one will remove the cookie set by the other instance.

This could be easily circumvented by either using a unique cookie name for each instances (maybe based on namespace?), or by setting the cookie's path (although I will need to check if this has other consequences; I'm suspecting it won't be possible).

Edit:

The Path attribute indicates a URL path that must exist in the requested URL in order to send the Cookie header.

So we can't use Path.

Edit: From the express-session docs:

name

The name of the session ID cookie to set in the response (and read from in the request).

The default value is 'connect.sid'.

Note if you have multiple apps running on the same hostname (this is just the name, i.e. localhost or 127.0.0.1; different schemes and ports do not name a different hostname), then you need to separate the session cookies from each other. The simplest method is to simply set different names per app.

Edit:

• I got confused; namespace is only in JSKOS Server, not here. But we could use the base URL instead (login-server-https://... as name).
• One question remains: Should this default be changed for everyone, or should it be opt-in with a setting? The former would mean all old sessions would be invalidated once someone updates to the new version introducing this feature. We could also add a temporary code path that renames (or copies?) the cookie if the old name is found (which is probably what I would do).