From cb5a79b1bfdbd27785bd2e7277596f30ffe9175f Mon Sep 17 00:00:00 2001
From: Blade Barringer <blade@crookedneighbor.com>
Date: Sat, 26 Mar 2016 08:31:59 -0500
Subject: [PATCH] chore: Set express session options

---
 package.json          |  3 +--
 website/src/server.js | 24 ++++++++++++++++--------
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/package.json b/package.json
index 687a2fe0f7..058433df62 100644
--- a/package.json
+++ b/package.json
@@ -19,12 +19,11 @@
     "browserify": "~12.0.1",
     "compression": "^1.6.1",
     "connect-ratelimit": "0.0.7",
-    "cookie-parser": "^1.4.1",
+    "cookie-session": "^1.2.0",
     "coupon-code": "~0.3.0",
     "domain-middleware": "~0.1.0",
     "express": "^4.13.4",
     "express-csv": "~0.6.0",
-    "express-session": "^1.13.0",
     "firebase": "^2.2.9",
     "firebase-token-generator": "^2.0.0",
     "glob": "^4.3.5",
diff --git a/website/src/server.js b/website/src/server.js
index e519f1895f..86349fcdcd 100644
--- a/website/src/server.js
+++ b/website/src/server.js
@@ -28,12 +28,13 @@ if (cores!==0 && cluster.isMaster && (isDev || isProd)) {
 } else {
   var express = require("express");
   var bodyParser = require('body-parser');
-  var session = require('express-session');
-  var cookieParser = require('cookie-parser');
+  var session = require('cookie-session');
   var logger = require('morgan');
   var compression = require('compression');
   var favicon = require('serve-favicon');
 
+  var BODY_PARSER_LIMIT = '1mb';
+
   var http = require("http");
   var path = require("path");
   var swagger = require("swagger-node-express");
@@ -126,13 +127,20 @@ if (cores!==0 && cluster.isMaster && (isDev || isProd)) {
   var redirects = require('./middlewares/redirects');
   oldApp.use(redirects.forceHabitica);
   oldApp.use(redirects.forceSSL);
-  oldApp.use(bodyParser.urlencoded({ extended: true }));
-  oldApp.use(bodyParser.json());
+  oldApp.use(bodyParser.urlencoded({
+    extended: true,
+    limit: BODY_PARSER_LIMIT,
+  }));
+  oldApp.use(bodyParser.json({
+    limit: BODY_PARSER_LIMIT,
+  }));
   oldApp.use(require('method-override')());
-  //oldApp.use(express.cookieParser(nconf.get('SESSION_SECRET')));
-  oldApp.use(cookieParser());
-  oldApp.use(session({ secret: nconf.get('SESSION_SECRET'), httpOnly: false, cookie: { maxAge: TWO_WEEKS }}));
-  //oldApp.use(express.session());
+  oldApp.use(session({
+    name: 'connect:sess', // Used to keep backward compatibility with Express 3 cookies
+    secret: nconf.get('SESSION_SECRET'),
+    httpOnly: false,
+    maxAge: TWO_WEEKS
+  }));
 
   // Initialize Passport!  Also use passport.session() middleware, to support
   // persistent login sessions (recommended).