I'm learning to use the "client-sessions" package in Node.js, with Express. Everything seems to be working well. But I'm wondering, is there is a way to have it call a function if a session expires?
I'm setting things up so that the session only stores a unique ID. Then outside of the session I store all the user data and anything else I need. That way it keeps my cookies and session info very small. But I want to know when a session has expired so that I can clear any info that doesn't need to be kept after the session is gone.
But I have not been able to find any details on how to do this. Am I thinking about this in the wrong way? If I store everything in the session it will try to store it all in the cookie as well won't it?
thanks in advance.
Making my comments into an answer since it appears to have helped you solve your issue...
If you use a session manager like express-session that only stores a session ID in the browser cookie and keeps a session object server-side in the session store, then you can just store your data directly in the session object and when the session expires, the session manager will just automatically clean up the session (including your data in the session). Then, you don't have to worry about when it expires as things are just managed for you automatically.
express-session has the ability to look up a given session in the session store.get(sessionID, callback) where store is the session store object you're using. To use that, you need to have previously saved the sessionID for a given user that you want to look up.
Related
Sorry, I don't know the best terminology to do what I am wanting to do.
I have several microservices that share a session secret. Once in a while, the session secret changes, and I will want to "refresh" the microservices with a new session secret.
In the case where, say, two of the microservices get the new secret but one of them doesn't, if the session cookie is signed with a new secret that the microservice does not have, then I can see the session cookie, but sessionID is not populated. This is how I determine if I need to refresh the session secret. So the microservice is able to grab the new secret and add it to the array of session secrets that was passed to express-session during initialization.
However, I was hoping that after this I could try to get the session again using the ID in the session cookie, and return the authenticated page to the user. The problem is, at this point express-session has already done its work, and there is no session present due to the fact that the ms saw a seemingly invalid signature. Currently my solution is to redirect back to the page after session secret is refreshed:
res.redirect(req.originalUrl)
This seems to be working, but is less than ideal. I was wondering if there is some way to tell express to go back to square 1, where it gets a session ID and verifies the signature, and then populates the session if it is present, without a redirect or anything, and once that is done continue to go through all the middleware as if this was a new request.
Any help would be appreciated
I want to do only cookie based authentication for my app. No pwd or email need to be given.
It is like the guest user feature in some webapps (like discord). You can use the app like
a logged in user as long as you have that cookie (or local storage). I find this very seamless and I don't want to put up signup barrier to the visitors.
I want a middleware, which does the following :
If request does not have a session id, it has to create a new session (by adding new document in sessions collection in mongodb, and setting the field session_id with random string)
If the request has cookie, it has to parse the cookie and set in request object. Even better, it gets the session object from db and set it in request object.
Is there anything right out of the box that does this? Or any other ways to easily achieve this?
express-session with a mongodb data store will do that pretty much right out of the box. There are multiple session store options for mongodb here. One of them is even maintained by the mongodb team.
In a nutshell, express-session will check for an incoming session cookie. If one exists, it will look up the session ID in the session store and find the session object for that ID. If there is no cookie or the DB has no session for that ID, it will make sure there's a cookie and create a new session for it. That session will be available as req.session for that request for all request handlers and middleware downstream of the session middleware.
You will need to age away old sessions from mongodb because if you're not attaching any login to them, then lots of the sessions will get permanently orphaned either when the user never comes back to your site or when the user's cookie ages away. And, the same user from multiple devices will cause multiple separate sessions to be created (which is a by-product of the auto-session-creation and login-free design).
I am using node.js. I was thinking of just storing a session id in the session variable, so that every time I make a request for a route, the server checks in the database whether the user with that session id is authorised to access that page.
This seems a bit inefficient, since there will be a database call for every page request. I know I could just store some data in cookies / session variable for this purpose to avoid the database call, but then I am susceptible to tampering..
How do other web developers handle this ?
A server-side session and associated encrypted session cookie used with https is secure. So, just keep a value in the server-side session that tells you whether that user has been authenticated or not and all you have to do is check that variable in the server-side session object. This is how every web-site I know does things.
The NPM module express-session used with a suitable session store will implement most of this for you.
If you have a specific reason why you think this isn't secure, please share those reasons so they can be discussed.
Here's a general article about securing node.js servers and point #6 is about securing session cookies: 9 Security Tips to Keep Express from Getting Pwned.
Hi I am using expressjs for my web application, and I use the session middleware, my question is that how I can do something right before the session expire?
For example, I store something in the session, and I set the req.session.cookie.maxAge to 60000(1 minute), when the session timeout, I want to save the data in the session to disk, how I can do this? I checked the API and the destroy function only support callback...
Thanks!
Assuming you're using connect-session there's nothing like session expiration event.
Sessions expire either :
on the client (when cookie gets outdated). There's no way to know about it until a request is made so there's a danger that the event will never get triggered.
in the session store, usually using some form of time-to-live. Not all session stores support events, so notification can't be done in general.
You can, however try implement your own check using setTimeout() - when it times out check if the session's expiration date is sufficiently close to now and do whatever you need to do.
I'm building a single-page javascript app that talks to Express on the back end. At various points in the app, we interact with the back end, updating the session. The session expiration is relatively short for security reasons.
In it, I'd like to warn the user that the session might be expiring, if they've been idle for a long time and have not made any transactions with the back end.
I'd like to have an Express "heartbeat" route that returns how long the session has remaining (session.maxAge), but I don't want it to refresh the session expiration.
The connect.session code automatically refreshes the session at the end of a request.
I'm looking for a way to have access to the session to fetch the maxAge, but not have it updated.
Best bet would be modifying your SessionStore manually to not modify the session expiration when coming from a specific route (req.url).
Look for the part of your sessionStore that calls Session.touch().