Node/Express with connect-redis, how handle session expiry - node.js

I have a Node/Express application that use redis as session store.
I have a question concerning the handling of the expiry of the session.
I'd like have an active session until the browser is closed, so I didn't set a session expiration time.
Doing that the session cookie works fine, but I have a doubt about Redis.
It seems that the couple Key/Value stored in Redis DB never expire.
How is the right way to handle this?
There is a way to configure redis to destroy a value stored with a certain idle time?
Or is better set a TTL when the connect-redis is invoked inside the application?
Actual configuration of the session inside the application:
var session = require('express-session');
var RedisStore = require('connect-redis')(session);
app.use(session({
store: new RedisStore({port:6379, host: 'localhost'}),
secret: "my-secret-here",
resave: false,
saveUninitialized: true }));

Using Redis with express-session, you can use the touch() method from express-session to reset the TTL. So if you set a TTL when creating the session, do something like this on the routes where you don't want the session to expire:
api.get("/someRoute/", (req, res) => {
req.session.touch();
// Whatever else you need to do
res.sendStatus(200);
}
That will reset the TTL on Redis and prevent the session from expiring assuming the client is still hitting your API - I'm assuming that if the client doesn't interact with your API for long enough, that implies the browser is closed or otherwise finished using your app.

You can specify a ttl while creating the session store.
You can find more options in the readme.
app.use(session({
store: new RedisStore(options),
secret: 'keyboard cat',
ttl : 20 // ttl is in seconds. From the readme.
}));

Related

Express-session not deleting previous sessions

I am currently working on a new project and I use sessions with the express-session library.
Here is the code where I set up the session:
const IN_PROD = process.env.MODE==='production'
app.use(session({
name: 'sid',
secret: 'asecret',
store: new MongoStore({
mongooseConnection: mongoose.connection,
collection: 'sessions'
}),
saveUninitialized: false,
resave: false,
cookie: {
sameSite: true,
secure: IN_PROD,
expires: new Date(new Date().getTime() + 1000 * 60 * 60 * 24)
}
}))
Imagine the following steps:
1) My server sends a session id (sid=A) in a cookie to my client.
2) The client manually deletes the cookie
3) At the next request, the client sends another session id (sid=B)
Is it normal that both A and B cookies are stored in the database and the first one is not overridden?
It is normal. It is up to either you or the session store you use to clean up older sessions.
If you look at the MongoStore() documentation, you will see that it has several features related to automatic removal of session objects.
Here's one example:
// connect-mongo will take care of removing expired sessions, using defined interval.
app.use(session({
store: new MongoStore({
url: 'mongodb://localhost/test-app',
autoRemove: 'interval',
autoRemoveInterval: 10 // In minutes
})
}));
Keep in mind that at the express-session level, a session is just a blob of data associated with a cookie. Any time a browser makes a request to your server and no session cookie exists, a new session cookie is created and a new express-session object that is connected to that new cookie.
If the user then deletes that cookie and connects to your server again, express-session has no idea that this browser is the same browser as the previous session. The original cookie is the only way it could know that and the cookie is now gone. So, express-session just sees a new browser connecting to your server that doesn't have a session cookie so it creates a new cookie and then creates a new session object to go with it.
Any association of a logged in user with an express session is done at your application level (by putting user-identification information into the session object) and express-session is not aware of that at all.

Sharing Redis Sessions Across Node Apps

I'm busy building a platform with 3 different subdomains - example.com, auth.example.com and api.example.com. They're run with 3 separate NodeJS apps running on different ports of the server.
Here is the code setting up the sessions:
var session = require("express-session");
var redisStore = require("connect-redis")(session);
var redisClient = require("redis").createClient(config.redis);
app.use(session({
secret: config.server.secret,
store: new redisStore(config.redis),
client: redisClient,
resave: false,
saveUninitialized: false,
cookie: {
domain: "example.co.za",
httpOnly: false
}
}));
The configuration is exactly the same for all 3 apps and they're sitting on the same server. For some reason, the sessions are not being shared. I seem to remember that they were being shared a few weeks back and now things are broken - I have a sneaky suspision that this happened when we moved all the traffic from HTTP to HTTPS. Would this break the sessions? I tried to turn of 'httpOnly' in case it restricted the sessions, but no luck.
I have run redid-cli MONITOR and the session is, in fact, being saved on login (Auth App) but is not being retrieved by the other app. When I turned saveUninitialized to true, the requests to save were coming from all 3 apps - this shows that they are connected to the same Redis Store.
Any help would be great.
I think this is just a cookie issue. The browser is not sending the session cookie back on your sub-domains:
you need a leading . on the domain. e.g.:
cookie: {
domain: ".example.co.za",
httpOnly: false
}
In case that doesn't work and you are having AJAX issues see this post

Express and Redis - If session exists for this user, don't allow access

I am using Redis and Express like this:
// app.js
var redis = require('redis'),
redisClient = redis.createClient(),
session = require('express-session'),
RedisStore = require('connect-redis')(session);
session = session({
store: new RedisStore({client: redisClient}),
secret: 'secretKey',
resave: true,
saveUninitialized: true
})
app.use(session);
In my index route file, I set a user session like this:
req.session.user = user;
When this user comes back (or opens another tab), how could I detect how many sessions he is currently having and block him access if he already has one active session?
express-session working via cookies. So you had cookie named session with some sessionId. All tabs inside browsed share cookies and you can't rely on cookies if you want to strict working via only one browser tab.
You need to create your own Sessions for each opened browser tab. Something like generating tabId at client side and saving {userId, tabId} to Redis
Or you can use websockets (http://socket.io/) for that, a little overhead, but doing exactly what you want

Express.js sessions reset at server restart

I am using the express-session package with a custom MongoDB based session store, but for some reason the sessions are deleted everytime I stop and re-run the script.
From looking at the database I can see that the sessions are saved.
Any ideas?
You can use connect-mongo for storing sessions in database so that it would persist even after restarting the node server.
Here is an example on how you can use it. Example is from its Readme.
var session = require('express-session');
var MongoStore = require('connect-mongo')(session);
app.use(session({
secret: settings.cookie_secret,
store: new MongoStore({
db : settings.db,
})
}));

Node+Passport.js + Sessions + multiple servers

Passport is great. I now discovered that I have some problem with how it handles sessions.
I must be using it wrong.
All works well for me with login + sessions + user data I store in my database.
However I find that when I move to production environment (cloud on EC2 with multiple servers), I lose the login session each time.
This is now clear to me - probably happens since the session is unique to each server.
So my question is - how do I get around this..
I guess I will need to store my own cookie on the user's browser?
Does this mean that I cannot use express.session at all?
Thanks,
Ilan
OK,
So basically what I was looking for (not sure it would be the same answer for everyone else) was a way to store session data between loadbalanced instances without making a DB call for every page view, which seems excessive to me, since I just need to keep the user signed in to Google/FB.
It seems that the answer I was looking for was the cookie-session middleware
https://github.com/expressjs/cookie-session
This needs to replace the default express.session mechanism which uses MemoryStore. BTW MemoryStore itself gives you a warning when run that it will not scale past a single process, and also that it may cause a memory leak.
Which if I understand correctly is serializing the session data itself into the session cookie (encrypted) instead of just using a session ID in the session cookie.
This seems perfect to me. Obviously I don't expect it to work if you have a lot of session data, since a cookie is limited in size. In my case, I just needed the name, ID and avatar url, so I think this will suffice.
Thanks for everyone who helped.
You need to store your session data in a 'global' area, that is accessible to all your servers. This could be redis or another DB.
Take the example from MEAN.JS. Here they use express-session with a MongoDB storage container (since they are a MEAN stack ; ), via connect-mongo. Their project is super easy to set up, if just for an example.
Code while setting up express is like this:
//top of file
var session = require( 'express-session' )
mongoStore = require( 'connect-mongo' )( {
session: session
} );
//...later in setup
// Express MongoDB session storage
app.use( session( {
saveUninitialized: true,
resave: true,
secret: config.sessionSecret,
store: new mongoStore( {
db: db.connection.db,
collection: config.sessionCollection
} )
} ) );
// use passport session
app.use( passport.initialize() );
app.use( passport.session() );

Resources