I'm getting a session mismatch error when logging in!

Developer FAQ
  • This topic was created as an entry in the Developer FAQ. Respond below if you have additional information to add re: SSO or other session-sharing implementations.

    The common causes for a session mismatch error are usually one of the following:

    1. Mis-configured URL parameter in your config.json file

    If you have a misconfigured url value in your config.json file, the cookie may be saved incorrectly (or not at all), causing a session mismatch error. Please ensure that the link you are accessing your site with and the url defined match.

    2. Improper/malformed cookieDomain set in ACP

    Sometimes admins set this value realising that they probably don't need to set it at all. The default is perfectly fine. If this is set, you'll want to revert the setting by editing your database directly:

    Redis: hdel config cookieDomain
    MongoDB: db.objects.update({ _key: "config" }, { $set: { "cookieDomain": "" } });

    3. Missing X-Forwarded-Proto header from nginx/apache

    If you are using a reverse proxy, you will need to have nginx pass a header through to NodeBB so it correctly determines the correct cookie secure property.

    In nginx, you will need to add the directive like so:

    location / {
        proxy_set_header X-Forwarded-Proto $scheme;

Suggested Topics

  • 4 Votes
    6 Posts

    @DownPW yeah for Windows, it's just the executable as downloaded from the GitHub releases page.

    The script for Linux and Mac does the same thing, it just automatically updates the $PATH variable for you.

  • 1 Votes
    2 Posts

    thank you for this.

  • 0 Votes
    3 Posts

    @baris thank you! I'll try your solution and update here

  • 3 Votes
    1 Posts

    Let's say you have your own site and member database, with its own gated access to content, and you want to mimic this sort of arrangement with your forum.

    e.g. On member site, you have free users and paid users, and you want to only allow access to a couple super special categories on community site to paid users, while free users get the regular set of categories.

    The good news is, the Session Sharing plugin has had support for this since 2018!

    You'll want to enable the options in the session sharing plugin:


    You can opt to only add users to groups, only remove users from groups, or both. You can also specify which groups that the automatic group syncing applies to

    Once enabled, you need only update your shared cookie to contain a groups property, which is of type Array. This array contains the group names in NodeBB that the user should be a part of.

    If group leaving is enabled, then the user will be removed from any groups that are not in this array, upon login/revalidation.

    Once you have your group memberships sorted out, you'll want to restrict access to specific categories based on user group membership.

    You can do that from the ACP > Manage > Privileges page. Simply remove access for the registered-users groups from your choice of categories, and grant those viewing/posting privileges to the paid users group.

  • 1 Votes
    1 Posts

    This topic was created as an entry in the Developer FAQ. Respond below if you have additional information to add re: SSO or other session-sharing implementations.

    The recommended method of sharing sessions between two separate and distinct applications is through OAuth2. We recommend this approach because NodeBB maintains its own user records, so that we can keep track of user-related metrics and other data. Relying on another database would be tricky, prone to breaking, and quite possibly dangerous.

    Luckily, it's quite straightforward to get things working with OAuth2!

    The first step is getting your application to expose an OAuth2 endpoint. If you're running a Node.js based app, you can use a module called OAuth2orize.

    Once that is set up, you'll want to take a look at the SSO plugin skeleton for customised OAuth deployments -- nodebb-plugin-sso-oauth. You'll take this plugin, fork it, and modify it to communicate with your OAuth endpoint.

    Once everything is working properly, you should be able to register and log in/out via your web app.