So I'm using express-session https://github.com/expressjs/session and I was wondering if the secret needed to be unique for every user. I can't seem to find anything that says it does as the usage just lists:
app.use(session({
secret: 'keyboard cat',
resave: false,
saveUninitialized: true,
cookie: { secure: true }
}))
I'm currently just creating the secret using bcrypt but I'm not sure if this will impact sessions when I update my server file.
var salt1 = bcrypt.genSaltSync();
var salt2 = bcrypt.genSaltSync();
var secret = bcrypt.hashSync(salt1 + salt2, 10);
app.use(session({
secret, // set this to a long random string!,
}));
Should the session be generated inside a function in itself, i.e. function generateSession()
The secret is the same for all users. The "secret" you supply simply acts as the salt for the session's hash function. The method you're using is as good as any as it will generate a new salt each time the application is restarted.
Related
How to differentiate whether the session expired or is it the first time logging in.
I am setting the session like this and storing the data in express-mysql-session.
const sessionStore = new MySQLStore({}, connection);
// session
const adminSession = session({
secret: process.env.ADMIN_SECRET,
resave: false,
saveUninitialized: false,
store: sessionStore,
name: "adminSession",
cookie: {
maxAge: 600000,
secure: false,
},
});
app.use("/api/admin", adminSession, adminRoutes);
//admin login
app.post("/api/admin/login",(req,res)=>{
req.session.adminAuthenticated = true;
});
By simply checking if there is req.session.adminAuthenticated, I can know if admin is logged in or not. But how can I know if the admin had already logged in earlier but the session expired.
Any help with this.
I am using Node.js/Express with the 'express-session' module for session management. My setup is as follows:
var session = require('express-session');
var MemoryStore = require('memorystore')(session)
const express = require('express');
const app = express();
app.use(session({
cookie: { maxAge: 86400000 },
store: new MemoryStore({
checkPeriod: 86400000 // prune expired entries every 24h
}),
resave: false,
saveUninitialized: false,
unset: 'destroy',
secret: process.env.COOKIE_SECRET
}))
My question is simple...how do I call the 'store' commands (for example ".all", ".destroy", ".length", etc)...? I have attempted at least the following:
session.store.all(function(error, len) {console.log("EXECUTED MEMORYSTORE LIST: ");})
MemoryStore.all(function(error, len) {console.log("EXECUTED MEMORYSTORE LIST: ");})
store.all(function(error, len) {console.log("EXECUTED MEMORYSTORE LIST: ");})
...Nothing of which works...I always get a "not a function" error thrown. I would like to access these commands to enable cycling through the sessions in the store, deleting as necessary, and other misc tasks.
Any advice on how to access these 'store commands' would be greatly appreciated. I thank you in advance.
If you want access to the MemoryStore interface for that module, then you just have to save the instance to your own variable:
const memoryStore = new MemoryStore({
checkPeriod: 86400000 // prune expired entries every 24h
});
app.use(session({
cookie: { maxAge: 86400000 },
store: memoryStore,
resave: false,
saveUninitialized: false,
unset: 'destroy',
secret: process.env.COOKIE_SECRET
}));
Now, you have access to the instance of the memoryStore and you can access whatever methods it has. You can see what methods it offers in the code here. It's implementation is really just in service of the express-session store interface - it is not meant as a separately accessible database, but you can call the methods from the express-session store interface.
Keep in mind that the tasks you ask about are better served by using a session store that is a real database and has a real database interface. Then, you can use the regular database interface to access previously store session data.
I am generating custom session IDs using the genid function with express-session and connect-mongo:
app.use(session({
store: new MongoStore({
mongooseConnection: db,
clear_interval: 60
}),
secret: 'someSecret',
name: 'secret',
genid: function(req){
return uuid4();
},
resave: false,
saveUninitialized: false,
cookie: {
httpOnly: true,
sameSite: true,
maxAge: 60*1000
}
}));
Id generated by uuid4(), I know that it has uniqueness, but not always, I want to know 100% that there is no such ID in the database, I want to check every time this ID is generated, whether such ID already exists in the database. I dug the whole Internet, but did not find anything about how to check that a session with such an ID already exists. I would like to implement it in genid function, like this:
genid: function(req){
let newID = uuid4();
//check if a session with this `newID` exists in the database
}
I don't know how to access the session ring generated by connect-mongo. Sorry for my English. I would be grateful if someone could help! :)
I'm lazily changing my user schema (mongoose). My code will rewrite a user's data when a user logs in and is still using the old schema.
To ensure no user is already logged in with the old schema when the new version gets deployed (which would throw errors), I want to log out all users and delete their user sessions when the app restarts.
I'm using passportJS and saving the sessions with cookie-session.
app.use(cookieParser(env.cookie))
app.use(cookieSession({
cookie: {maxAge: 60000},
secret: 'ThisIsASecret',
saveUninitialized: true,
resave: true
}))
require('./config/passport')(passport)
app.use(passport.initialize())
app.use(passport.session())
It might not be the most elegant solution, but changing the cookie-session secret string works:
app.use(cookieSession({
cookie: {maxAge: 60000},
secret: 'ThisHasChanged',
saveUninitialized: true,
resave: true
}))
So I'm using express-session with a mongo store like so:
app.use(session({
secret: 'some secret here',
saveUninitialized: false,
resave: false,
store: new MongoStore({
url: 'http://someurlhere'
})
}));
I have some login middleware, which after a successful login I want to then set the session cookie expiry time.
So I am testing with a 10 second expiry time right now using
req.session.cookie.expires = new Date(Date.now() + 10000);
I want the session expiry to reset for each subsequent request. Currently after 10 seconds have elapsed, no matter how many requests I have made after logging in, the session expires.
I feel like I have misunderstood something here!
EDIT
Ok so I missed the rolling config option in the docs, but even when I set this to true in my session config options, the same behaviour occurs:
app.use(session({
secret: 'some secret here',
saveUninitialized: false,
resave: false,
store: new MongoStore({
url: 'http://someurlhere'
}),
rolling: true,
cookie: {
maxAge: 10000
}
}));
I am now console logging the value of the cookie maxAge across my routes and see it decreasing as each subsequent request is made after logging in, it never reset back to 10000.
What am I doing wrong?
SOLVED
Ok so I came across a comment on this issue
I changed resave to true and it works as expected now.