express.js, passports.js: why shared sessions?

Question

express.js, passports.js: why shared sessions?

Trying to setup authentication with express.js and passport.js. Well, probably stupid question, but I don't understand how all that stuff works.

I set up facebook strategy and can now authticate users with facebook. What I'm stuck with is:

If I authenticate user in on one client (browser), it becomes authenticated on all other clients that make requests. Why is that? And how am I supposed to configure express and passport to use it correctly and safely in production?

My express config:

app.use(express.bodyParser());
app.use(express.methodOverride());

app.use(express.cookieParser());
app.use(express.session({ secret: 'secret' }));

app.use(passport.initialize());
app.use(passport.session());
app.use(app.router);
app.use(express.static('public'));

Don't really get all authentication stuff. Should there appear some cookies on the client after it has been authenticated?

UPD:

Passport config:

passport.serializeUser(function(user, done) {
    done(null, user._id);
});

passport.deserializeUser(function(id, done) {
    User.findById(id, function(err, user) {
        done(err, user);
    });
});


passport.use(new FacebookStrategy({
        clientID: nconf.get('facebook:appId'),
        clientSecret: nconf.get('facebook:appSecret'),
        callbackURL: nconf.get('facebook:callbackUrl')
    },
    function(accessToken, refreshToken, profile, done) {
        User.findOrCreateExternal(profile, done)
    }
));

Routes

app.get('/api/users/facebook', users.facebookLogin);
app.get('/api/v1/users/facebook/callback', users.facebookLoginCallback);

Actions:

    facebookLogin: function(req, res, next){            
        return passport.authenticate('facebook', {
            scope: nconf.get('facebook:permissions')
        })(req, res, next)
    },

    facebookLoginCallback: function(req, res, next){
        return passport.authenticate('facebook', {
            successRedirect: process.env.FB_SUCCESS_REDIRECT,
            failureRedirect: process.env.FB_FAILURE_REDIRECT

        })(req, res, next)
    },

UPD2:

Route and action to get currently authenticated user:

app.get('/api/users/logged', users.getLoggedInUser)

Action code:

getLoggedInUser: function(req,res){
    //Currently last authenticated user is send to all clients that make requests.
    res.send({user: req.user || false})
}

node.js
express
passport.js

Answer 1

The problem was that I was using intermediate development web server (for serving development assets, livereload etc) that was piping http requests to api server incorrectly.