Maybe i did not understand right how connect-mongo works.
When i set
app.use(express.session({
secret: '1234567890QWERTY',
cookie: {maxAge: 1000 * 60},
store: new MongoStore({
db: "DB"
}),
})
This suggest that the session expire after 1 minute.
But my doubt is: if the user refresh the page and on Mongo the session is refreshes too, why after 1 minute the mongo remove the entry?
I want expire the session after 1 minute, but only when user exit or stop interact with browser.
What is the better form to use session how i need?
Thanks.
add:
Oficial Doc
Note: By connect/express's default, session cookies are set to expire when the user closes their browser (maxAge: null). In accordance with standard industry practices, connect-mongo will set these sessions to expire two weeks from their last 'set'. You can override this behavior by manually setting the maxAge for your cookies -- just keep in mind that any value less than 60 seconds is pointless, as mongod will only delete expired documents in a TTL collection every minute.
Well i got the solution
Ref: Express.js and connect-mongo session duration
Ref: https://github.com/senchalabs/connect/issues/670
Ref: https://github.com/fealaer/liltael.com/issues/4
thanks #Ivan
Related
I want to expire session when the browser is closed.
I'm using res.cookie('testlocale', 'en', { maxAge: 900000, httpOnly: true });
Also which event should i use in front end(onbeforeunload or onunlod)
I'm not able to understand how to do this. I'm using handlebars in front-end
If you use express-session.
You can set expires: false.
req.session.cookie
Each session has a unique cookie object accompany it. This allows you to alter the session cookie per visitor. For example we can set req.session.cookie.expires to false to enable the cookie to remain for only the duration of the user-agent.
From docs
If you want to manually delete cookies on frontend, I think both are good fit. But I'm not sure it's good idea.
I am currently working on a new project and I use sessions with the express-session library.
Here is the code where I set up the session:
const IN_PROD = process.env.MODE==='production'
app.use(session({
name: 'sid',
secret: 'asecret',
store: new MongoStore({
mongooseConnection: mongoose.connection,
collection: 'sessions'
}),
saveUninitialized: false,
resave: false,
cookie: {
sameSite: true,
secure: IN_PROD,
expires: new Date(new Date().getTime() + 1000 * 60 * 60 * 24)
}
}))
Imagine the following steps:
1) My server sends a session id (sid=A) in a cookie to my client.
2) The client manually deletes the cookie
3) At the next request, the client sends another session id (sid=B)
Is it normal that both A and B cookies are stored in the database and the first one is not overridden?
It is normal. It is up to either you or the session store you use to clean up older sessions.
If you look at the MongoStore() documentation, you will see that it has several features related to automatic removal of session objects.
Here's one example:
// connect-mongo will take care of removing expired sessions, using defined interval.
app.use(session({
store: new MongoStore({
url: 'mongodb://localhost/test-app',
autoRemove: 'interval',
autoRemoveInterval: 10 // In minutes
})
}));
Keep in mind that at the express-session level, a session is just a blob of data associated with a cookie. Any time a browser makes a request to your server and no session cookie exists, a new session cookie is created and a new express-session object that is connected to that new cookie.
If the user then deletes that cookie and connects to your server again, express-session has no idea that this browser is the same browser as the previous session. The original cookie is the only way it could know that and the cookie is now gone. So, express-session just sees a new browser connecting to your server that doesn't have a session cookie so it creates a new cookie and then creates a new session object to go with it.
Any association of a logged in user with an express session is done at your application level (by putting user-identification information into the session object) and express-session is not aware of that at all.
I have a couple requirements around session handling and I'm having trouble enforcing one.
Sessions need to:
Expire in 30 mins if user has been inactive
Expire in 8 hours from when user first logged on regardless of activity.
I was able to configure item 1 but not item 2. Every time a user is browsing application, the cookie is updated (with time+30mins) and sent back to the browser but at the same time the session storage TTL is also refreshed. The last part is what I need to stop.
I believe the TTL refresh is implemented as a feature from express-session. Session.touch() is called by the middleware but is there a setting that'll remove this action?
The stack:
Node, express, express-session, connect-redis for session storage.
The configuration:
app.use(session({
store: new RedisStore({
client: redis_client,
ttl: 28800 // 8 hours
}),
secret: config.redis_session_secret,
resave: false,
saveUninitialized: false,
cookie: {
path: '/',
httpOnly: true,
secure: false,
maxAge: 30 * 60 * 1000 //mins * seconds * milliseconds. session cookie will expire every 30 mins
},
rolling: true
}));
I don't think option 2 is a supported feature of express session. So, instead you can just add a property to each session that indicates the time it was started and then every 10 minutes or so (probably on an interval timer), query for all sessions where that property is older than 8 hours and remove them from the database.
You could instead implement middleware that checks the session expiration on every request and removes the session if it find the session is older than 8 hours.
You should be aware that implementing this behavior could cause a user to lose their session in the middle of using your app (which is why it is not typically implemented this way).
I followed a tutorial to include Google authentication for my web application using the passport-google-oauth module. The server.js file has the following lines of code:
app.use(express.session({ secret: 'victoriassecret' })); // session secret
app.use(passport.initialize());
app.use(passport.session()); // persistent login sessions
In addition, I find that the application automatically logs the user out after some time. Passport is configured in a separate file that is imported in server.js. Is there some way I can increase the time before the user is logged out, or even better, not log him out until he clicks on the logout button? Also, what is the session secret?
1) You can define the maximum life-time of a session cookie ( and concurrently the time before a user is automatically logged out ) using the maxAge option of the cookie parameter like this :
app.use(expressSession({ cookie: {maxAge: 10000} , secret: 'victoriassecret'}));
According to this maxAge value ( 10000 ) the cookie's maximum life-time will be 10.000ms(10 sec).
(obviously you need a much bigger value than this)
Thus,you can increase the maxAge value in order to suit your needs and make sure user does not get logged out until he decides so, pressing the Logout button.
2) The session secret is a random string used to hash the session with HMAC ( more on HMAC : here) in order to protect the session from being highjacked.
Can't seem to find anything in the docs at http://passportjs.org/ or anywhere else on how to properly set how long a user stays logged in.
I've currently got passport-local working on my dev machine, but I have no idea what the duration of a login will be and can't find anything about changing the setting.
Is this because it's set within express or something I'm missing?
As I thought might be the case, passport just uses express's session config:
app.use(express.session({ secret: 'topsecret', cookie: { maxAge: 3600000 } }))
// login sessions last 1 hour
The cookie lasts maxAge milliseconds. There are many ways to set the cookie length; this was just the one that seemed simplest to me.