I want to set the same maxAge and secure options for all cookies in my express 4 application.
Is there a way to express these defaults like the following pseudocode?:
app.set('cookieSettings', {secure: true, maxAge: 1000})
app.cookie('mySecureCookie, 'foo');
No. I'm afraid the only settings you can manipulate with app.set() are in this list of application settings. You can however pass an object of options to res.cookie(name, value, options) and reuse it whenever you set a cookie:
var cookieOptions = {
maxAge: 10000
};
...
res.cookie('mySecureCookie', 'foo', cookieOptions);
Here is the list of properties you can set in the options object.
Related
I am using the following Node.js code to create a 'session store' to keep user information. These text files are kept in a folder called "session-store":
var session = require('express-session');
var FileStore = require('session-file-store')(session);
app.use(session({
store: new FileStore({path: './session-store'}),
// using FileStore with express-session
// as the store method, replacing the default memory store
secret: 'secret_key',
name: 'myadmin',
resave: false,
saveUninitialized: false,
cookie: { maxAge: 60000, httpOnly: true, secure: false }
}));
app.get('/', function (req, res) {
if (req.session.views) {
req.session.views++;
} else {
req.session.views = 1;
}
});
My text file which contains the session information seems to generate properly. However I have some confusion regarding its proper usage. In my cookie (.txt) file, it reports the "views" correctly, such as ""views":1". However if I define another variable, such as "req.session.broadcast = String(req.body.usr);" I do not see this information in my text file...why would this not be inclusive? Is this because the .txt file containing the cookie session storage information is generated only on the initial 'route' (i.e. the "app.get('/', function (req, res) {...do stuff}") and no other place in the Node.js code? (NOTE: I have "req.session.broadcast" set in a different route other than the 'homepage' route...which I guess is when the cookie file gets generated...possibly?).
I am simply attempting to properly manage users...therefore I want to be able to have certain session variables properly set and tracked for each unique user browser.
Are the "req.session.user" and/or req.session variable(s) 'hard coded' variables? I believe they get set when the browser is directed at the webpage, however how can they be used to terminate a session? Do they automatically become null if the user closes their browser (using the "x" in the right top corner) OR if the user directs their browser to another webpage...?
Any help with these questions and any other advice would be GREATLY appreciated.
I have a scenario below as
On browser I open a website in which after getting authenticated with the system(i.e. access.abc.com) I get a cookie and I set it on client, i.e. connect.sid with domain as .abc.com
On same browser I open another webiste i.e. xyz.abc.com that also generates session cookie(after getting authenticated from the same i.e. access.abc.com) with same name but with different domain as xyz.abc.com(basically this is what this website sets)
Now if I send a request to any api on xyz.abc.com, I see 2 connect.sid going.
My question is which cookie will be picked by express-session of access.abc.com when xyz.abc.com send a request?
Below is the setting for express session at access.abc.com
var RedisStore = require('connect-redis')(expressSession);
var session = expressSession({
key: 'connect.sid',
store: new RedisStore({host: config.session_redis.host,
port: config.session_redis.port,
ttl: 2*24*60*60 //in secs
}),
resave: false,
saveUninitialized: false,
secret: '234567',
cookie: {
domain: '.abc.com',
maxAge: 2*24*60*60*1000 // in ms
}
});
My question is which cookie will be picked by express-session of access.abc.com when xyz.abc.com send a request?
Looking at the code, I think that it will pick the one in the first Cookie header it encounters in the request headers, so the question becomes "which cookie will the browser put in the headers first?" (which I can't answer because I have no idea).
We're Node + Express + Passport for authentication, and persisting the session info to Redis. I have maxAge set on the session cookie, to time out in one hour. That all seems to be working fine but the problem is, the session cookie will expire in one hour regardless of the user's activity.
Is there a way I can manually refresh/keep alive the session cookie?
You'll likely want to use the "rolling" option for your session. This "forces a cookie set on every response" and "resets the expiration date." You want to set rolling to true.
Also pay attention to the "resave" option. That "forces session to be saved even when unmodified..." You'll likely want to set that option to true as well. Note that even though the default value is true for this option, you should set the value explicitly. Relying on the default for this option, rather than setting it explicitly, is now deprecated.
Try something like:
app.use( session( { secret: 'keyboard cat',
cookie: { maxAge: 60000 },
rolling: true,
resave: true,
saveUninitialized: false
}
)
);
Here's the documentation. Look under "Options" and "options.resave": https://github.com/expressjs/session .
Yes you can!
If the cookie is unchanged on a request then it will not be resent to the browser, you can check in the developer tools under cookies to verify that. So what some, including myself like to do is to change the cookie on request where there is user activity that should extend the session. Something like the following:
req.session.lastAccess = new Date().getTime();
Another thing I've seen but I've had trouble with is to use the Session#touch:
req.session.touch()
Yes, you can manually reset the maxAge for each cookie after the user logs in:
req.session.cookie.maxAge = 60 * 60 * 1000;
Here is the connect session documentation.
Try this code:
app.use(session({ secret: 'Category', cookie: { maxAge: 6000000 }, resave: true, saveUninitialized: false}));
I am building an API with Sails.js. For session storage I am using redis. Fun stuff!
The Set-Cookie Response Header contains
sails.sid=<sessionID>; Path=/; HttpOnly
Simple thing in an express application, but I am having a hard time on how to set the expires value for that Cookie. Does anyone know?
Setting ttl for redis does not have any effect by the way.
I found the answer to the above question myself. Just add
cookie: {
maxAge: 60 * 60 * 1000 // example: 60 mins in miliseconds
}
to your sails.js config/session.js file.
If the app is running behind proxy/ revserse proxy ( nginx) and you want to set a secure flag to your cookie just modify:
config/session.js and add these lines:
proxy: true,
cookie: {
secure: true
}
You can use this code in your controller to set cookie expire time
res.cookie('rememberme', '1', { expires: new Date(Date.now() + 900000), httpOnly: true });
Bringing this question to SO since the express group didn't have an answer.
I'm setting the session maxAge = 900000 and I see that the the expires property on the session cookie is set correctly.
However, on subsequent requests the timeout is not being extended. It is never extended and the cookie eventually expires.
The session middleware docs say that Session#touch() isn't necessary because the session middleware will do it for me. I actually tried calling req.session.touch() manually and that did nothing, I also tried setting the maxAge on the req.session.cookie as well and that did nothing :-(
Am I missing a setting somewhere to automatically extend active sessions? Short of recreating the cookie manually on each request is there any other way to extend a session timeout after end-user activity?
EDIT: I experienced this problem in express v3. I'm not 100% sure but I think this note from the express changelog may have been the culprit:
changed session() to only set-cookie on modification (hashed session json)
Rolling sessions now exist in express sessions. Setting the rolling attribute to true in the options, it will recalculate the expiry value by setting the maxAge offset, applied to the current time.
https://github.com/expressjs/session/issues/3
https://github.com/expressjs/session/issues/33
https://github.com/expressjs/session (search for rolling)
For example, note the rolling:
app.use(session({
secret: 'a secret',
cookie: {
path: '/',
httpOnly: true,
secure: false,
maxAge: 10 * 60 * 1000
},
rolling: true
}));
Here is the solution in case anyone else has the same issue:
function (req, res, next) {
if ('HEAD' == req.method || 'OPTIONS' == req.method) return next();
// break session hash / force express to spit out a new cookie once per second at most
req.session._garbage = Date();
req.session.touch();
next();
}