Renewing/Refreshing Express Session - node.js

In my app I restrict some access to some actions and pages if a user is not logged in. I have:
var restrict = function(req, res, next) {
if (!req.user) {
console.log("USER isn't logged in.")
return res.status(403).send('Access or action denied, please log in');
}
next();
}
app.get('/stocks', restrict, MainHandler.findAllStocksFromUser);
app.get('/stocks/:id', MainHandler.findStockByIdAndDates);
app.put('/stocks/:id/stockActions', restrict, MainHandler.handleStockAction);
I'm essentially trying to refresh a session everytime the client makes a request to the server so that the server doesn't logout the user/destroy the session when it shouldn't. For testing, I want the session to expire/the user to be logged out if 20 seconds go by without the user making an requests to the server. I have:
app.use(session({secret: 'secret', saveUninitialized: true, resave: true, expires: new Date(Date.now() + (20000))}));
Then I try to use middleware to refresh the expiration date every time the use makes a request:
// Session-persisted message middleware
app.use(function(req, res, next){
req.session.cookie.expires = new Date(Date.now() + 20000);
next();
});
But if I log in from the client, and click around, causing requests to the server, I still get the log-in error on the client after 20 seconds, despite trying to "refresh" the session in the middleware. I have also tried using maxAge using the same strategy with the middleware. Any ideas? Thanks!


You can try define your session as follows
app.use (
session ({
secret: "secret",
saveUninitialized: true,
resave: true,
cookie: {
expires: 20 * 1000
}
})
);
and then refresh the session using
req.session.touch()
or you could define your session as
app.use (
session ({
secret: "secret",
saveUninitialized: false,
resave: true,
rolling: true,
cookie: {
expires: 20 * 1000
}
})
);
and it will renew the session automatically and it will only expire when it has been idle for the value in the expires variable


express-session supports a duration-based maxAge setting, which will work better than setting a fixed date for all sessions. So your middleware usage should instead look like:
app.use(session({
secret: 'secret',
saveUninitialized: true,
resave: true,
maxAge: 20000
}));
Next, to update the expiration of the session, you can just call req.session.touch(); if that is all you're doing to the session and its contents.
The documentation has a lot of other good information on controlling session expiration and related topics.

Related

Express Session expiry vs First Time Loging in

How to differentiate whether the session expired or is it the first time logging in.
I am setting the session like this and storing the data in express-mysql-session.
const sessionStore = new MySQLStore({}, connection);
// session
const adminSession = session({
secret: process.env.ADMIN_SECRET,
resave: false,
saveUninitialized: false,
store: sessionStore,
name: "adminSession",
cookie: {
maxAge: 600000,
secure: false,
},
});
app.use("/api/admin", adminSession, adminRoutes);
//admin login
app.post("/api/admin/login",(req,res)=>{
req.session.adminAuthenticated = true;
});
By simply checking if there is req.session.adminAuthenticated, I can know if admin is logged in or not. But how can I know if the admin had already logged in earlier but the session expired.
Any help with this.

Firebase node.js application opens someone else's profile

I have a node.js application which I deployed as Firebase function. The issue that I am having is, if user1 is logged it from a window and user2 open the url in a seperate device+browser, User2 is automatically logged in as user1. I am not sure why this is happening.
Some things I have tried
Setting the Auth persistence to None.
Changing my session config in index.js which looks like
app.use(session({
name: '__session',
secret: 'random',
resave: true,
saveUninitialized: true,
cookie: {
maxAge: 5 * 24 * 60 * 60 * 1000, // 5 days
secure: false,
httpOnly: true
}
}));
app.use(flash());
app.use(async(req, res, next) => {
res.locals.success = req.flash('success');
res.locals.error = req.flash('error')
res.locals.currentUser = firebase.auth().currentUser;
next();
});
Anyone faced similar issue? Any idea how to fix this?
Thanks a lot in advance!

Session data is not saved in the cookie itself, just the session ID. Session data is stored server-side.

I can't set the SameSite attribute of the cookie to None in Nodejs (Express)

We are creating a backend for a Twitter view app in Nodejs (Express).
I'm thinking of using Twitter Api for login and storing the token returned after authentication to the session and then restoring the session from the cookie when it is accessed again.
However, the cookie is blocked when it is accessed again and I can't restore the session information.
The browser I use is chrome, but since chrome version 80, SameSite attribute seems to be Lax (sends a cookie when called from the site of the same domain) when the SameSite attribute is not specified, and in this case, front and back end are different domains, so cookies are blocked.
So I am trying to set the SameSite attribute to None (sends a cookie when called by any site), but I can't seem to set it well and asked this question.
I'm wondering if I can set the SameSite attribute to None if I make a difference in the part of app.use(session({})), but...
If anyone knows of a solution, I would appreciate your help.
Thank you for your help.
The corresponding source code
callback_url = env.URL + "oauth/callback";
app.use(
cookieSession({
name: "session",
keys: ["thisappisawesome"],
maxAge: 24 * 60 * 60 * 100
})
);
app.use(cookieParser());
// Save to session
passport.serializeUser(function(user, done) {
done(null, user.id);
});
// Restore from Session
passport.deserializeUser(function(user, done) {
done(null, user);
});
passport.use(
new TwitterStrategy({
consumerKey: env.TWITTER_CONSUMER_KEY,
consumerSecret: env.TWITTER_CONSUMER_SECRET,
callbackURL: callback_url
},
async (token, tokenSecret, profile, done) => {
return done(null, profile);
}
));
app.use(session({
allowedHeaders: ['sessionId', 'Content-Type'],
exposedHeaders: ['sessionId'],
secret: 'reply-analyzer',
resave: false,
saveUninitialized: false
}));
var cors_set = {
origin: env.CORS_ORIGIN_URL,
methods: "GET,HEAD,PUT,PATCH,POST,DELETE",
credentials: true // allow session cookie from browser to pass through
};
app.use(passport.initialize());
app.use(passport.session());
app.use(cors(cors_set));
What I've tried.
1.I tried setting the cookie options in the app.use(session({})) part, but it was not possible to set the SameSite attribute to None.
app.use(session({
allowedHeaders: ['sessionId', 'Content-Type'],
exposedHeaders: ['sessionId'],
secret: 'reply-analyzer',
resave: false,
saveUninitialized: false,
cookie : {
secure: true,
sameSite: 'None'
}
}));
2.I tried using the following middleware (express-samesite-default), but the SameSite attribute can be set to None, and the It wasn't.
var sameSiteCookieMiddleware = require("express-samesite-default");
app.use(sameSiteCookieMiddleware.sameSiteCookieMiddleware());
Additional information
Node.js v12.18.2
chrome v84.0.4147.135

I was able to self-resolve and will describe how I was able to solve the problem.
In the code there are two sessions and a cookie session, but I decided to use the cookie session as it seems to work fine.
The end result is the following
var cookieSession = require("cookie-session");
app.set('trust proxy', 1)
app.use(
cookieSession({
name: "__session",
keys: ["key1"],
maxAge: 24 * 60 * 60 * 100,
secure: true,
httpOnly: true,
sameSite: 'none'
})
);

Hey I just used like this. And it worked. I'm using localhost for both frontend and express backend.
res.cookie('token', token, {
expires: new Date(Date.now() + (3600 * 1000 * 24 * 180 * 1)),
httpOnly: true,
sameSite: "none",
secure: "false",
});

try SameSite: 'none' with capital S it worked for me but i used express-session with cookie-parser... i think your code not working because of small s, when i change my to sameSite it's not working for me too, but SameSite works just as expected
also i use npm i cors
here is my piece of code
app.use(session({
key: 'session_cookie_user_auth',
secret: 'mooncore',
store: sessionStore,
resave: false,
saveUninitialized: false,
cookie: {
SameSite: 'none',
maxAge: 1000 * 60 * 60 * 60
}
}));

express-session Changes the session when the browser is closed

Server on express (4.16.3), with it the express-session (1.15.6) module works.
Code:
// ...
app.use(session({
secret: 'mySecret',
resave: false,
saveUninitialized: true,
store: new MongoDBStore({
uri: 'my-url',
collection: 'sessions'
})
}))
// ...
The essence of the problem: I open the Yandex browser - assign a session, then close it and when I reopen it - a new session. The matter is that authorization is tied to sessions.
The problem is observed in the Yandex browser, microsoft EDGE and in all mobile browsers, while in chrome and opera works correctly.
Help solve the problem or maybe something can replace the module express-sessions

This is happening because your browser default expire the cookie when the browser is closed. In order to fix you can add cookie:{ maxAge: 60000} to your session.
app.use(session({
secret: 'mySecret',
resave: false,
cookie:{ maxAge: 60000},
saveUninitialized: true,
store: new MongoDBStore({
uri: 'my-url',
collection: 'sessions'
})
if you want to make the cookie to not expire, the best way is to set a large number.
// this will it expire in 200 years
cookie: { maxAge: 9000000000000}
or a very far future date in expire property.
// this will expire in year 9999
cookie: {expires: new Date(253402300000000)}

express-session: Rolling session expiry configuration

So I'm using express-session with a mongo store like so:
app.use(session({
secret: 'some secret here',
saveUninitialized: false,
resave: false,
store: new MongoStore({
url: 'http://someurlhere'
})
}));
I have some login middleware, which after a successful login I want to then set the session cookie expiry time.
So I am testing with a 10 second expiry time right now using
req.session.cookie.expires = new Date(Date.now() + 10000);
I want the session expiry to reset for each subsequent request. Currently after 10 seconds have elapsed, no matter how many requests I have made after logging in, the session expires.
I feel like I have misunderstood something here!
EDIT
Ok so I missed the rolling config option in the docs, but even when I set this to true in my session config options, the same behaviour occurs:
app.use(session({
secret: 'some secret here',
saveUninitialized: false,
resave: false,
store: new MongoStore({
url: 'http://someurlhere'
}),
rolling: true,
cookie: {
maxAge: 10000
}
}));
I am now console logging the value of the cookie maxAge across my routes and see it decreasing as each subsequent request is made after logging in, it never reset back to 10000.
What am I doing wrong?
SOLVED
Ok so I came across a comment on this issue
I changed resave to true and it works as expected now.

Resources