On asp.net, we have a session expire event. I'm using node.js with express.js and the default memory store for sessions. Every time I restart node, the sessions are lost. Ideally, I'd like to save the sessions to the db (can't use redis).
Is there a session expire event?
If you want to save the sessions to a database which isn't Redis, there are more solutions: https://github.com/senchalabs/connect/wiki (check the Session Stores section).
As far as I know there isn't such an event for cookie/session expiration (I've looked at the code for Connect and didn't find such a feature).
Also if you don't want to use sessions with a database at all, the are several modules for that (storing sessions in cookies, encrypted):
https://github.com/jpallen/connect-cookie-session
https://github.com/ciaranj/express-session-cookie
Related
I am trying to create a login feature for my web application using express-session as a session middleware and connect-mongo as persistent store. I was able to implement persistent session using the mongo store, before which, express-session supported in-memory session until users closed the browser.
I am providing a feature wherein, if the user, while logging in, selects a checkbox "Keep me signed in", creates a persistent session for n days, but if not, by default, the session should expire on closing the browser. I have lost the ability to clear session on browser exit now that I have implemented persistent store with connect-mongo.
How do I switch between both session approach for my feature.
Is it possible to clear session on browser exit in connect-mongo? If so how to I handle the browser event.
Is it practical to implement session based on user selection, and implement persistent store only if user chooses to keep him signed in?
Please suggest better option or one that I don't see yet.
I believe you confuse 2 different things.
express-session uses different stores to retain sessions on server side. It can be in-memory storage which is cleared out once the node process exits (not when a browser is closed) or it can be persistent storage on disk/in a database.
If you read connect-mongo README carefully you'll notice that it clears sessions from DB based on cookie's expiration date or if not set it will use ttl option you can provide (see here).
But this is on the server side and it doesn't affect the expiration date of the cookie which browsers respect.
A session cookie is a cookie that has no expiration date set, i.e. such cookie will be deleted by a browser when it's closed. Initially, you can set maxAge of a cookie using cookie.maxAge option that you pass to session method of express-session. You can use this value as a session expiration date for a user which selects "Keep me signed in" checkbox.
For users who don't select "Keep me signed in" you can adjust the cookie expiration dynamically by accessing it via req.session.cookie inside your endpoint where you have your user's sign-in logic:
req.session.cookie.expires = false
This info is also in express-session docs here.
How can I create sessions and manage them in Node.js without a framework like express?
I know it would be much easier to use express but I want to know how to do it with node just in case.
Most of the questions that mentions managing sessions in node is using express to do so but I want to know how to do that without express.
As a simple starting point, suppose we starts sessions when a user login and destroy when he logout.
So when a user login, we basically create a unique session-id and store this session-id at some db like redis/mysql at our server, same will be given to client for next subsequent requests. (Note do not store session-id in memory of the server, as if the server restart we will loss this sessions)
So next time whenever a new request come from the client with session-id we will identify the user and serve response on the basis of that session-id.
Whenever user logout, we remove the session-id from our db. Similarly we can add timeout for the session-id.
This is a simple concept, it can be extended as required.
I'm learning to use the "client-sessions" package in Node.js, with Express. Everything seems to be working well. But I'm wondering, is there is a way to have it call a function if a session expires?
I'm setting things up so that the session only stores a unique ID. Then outside of the session I store all the user data and anything else I need. That way it keeps my cookies and session info very small. But I want to know when a session has expired so that I can clear any info that doesn't need to be kept after the session is gone.
But I have not been able to find any details on how to do this. Am I thinking about this in the wrong way? If I store everything in the session it will try to store it all in the cookie as well won't it?
thanks in advance.
Making my comments into an answer since it appears to have helped you solve your issue...
If you use a session manager like express-session that only stores a session ID in the browser cookie and keeps a session object server-side in the session store, then you can just store your data directly in the session object and when the session expires, the session manager will just automatically clean up the session (including your data in the session). Then, you don't have to worry about when it expires as things are just managed for you automatically.
express-session has the ability to look up a given session in the session store.get(sessionID, callback) where store is the session store object you're using. To use that, you need to have previously saved the sessionID for a given user that you want to look up.
Super simple question that I'm having trouble wrapping my head around.
When using sessions with nodejs, are the sessions stored in the users browser? Or are the sessions stored on the server?
For example, if I'm using the express-session or passport.session(), where are these session cookies stored?
As #robertklep mentioned, sessions (in the way you're using them) are stored on the client, but only contain a session ID. When your request hits the web server, it'll then look up the session ID to grab the account from some sort of database / cache, then use it for the remainder of the request lifecycle.
If you're interested on learning more about this, you might want to check out this screencast I made a while ago which covers exactly how cookies work, and why -- as well as how to store them securely: https://www.youtube.com/watch?v=yvviEA1pOXw
Furthermore, if you're looking to build a site that doesn't use 'typical' server-side sessions, and works with modern client-side front-end web frameworks like Angular.js / React.js / etc., you might want to investigate JSON Web Tokens (JWTs). These tokens allow you to create 'dumb' cookies that don't require a database lookup on the server, and can speed up your web apps / API services pretty dramatically: https://stormpath.com/blog/build-secure-user-interfaces-using-jwts/
Hope this helps!
The fine manual states:
Note Session data is not saved in the cookie itself, just the session ID. Session data is stored server-side.
express-session sends a cookie to the browser (which stores it), which contains a unique session id. The data itself is stored on the server (depending on which session store you use, this can be in memory, Redis, MongoDB, ...).
The session id in the cookie is merely used as a key to look up the actual data in the session store.
Hi I am using expressjs for my web application, and I use the session middleware, my question is that how I can do something right before the session expire?
For example, I store something in the session, and I set the req.session.cookie.maxAge to 60000(1 minute), when the session timeout, I want to save the data in the session to disk, how I can do this? I checked the API and the destroy function only support callback...
Thanks!
Assuming you're using connect-session there's nothing like session expiration event.
Sessions expire either :
on the client (when cookie gets outdated). There's no way to know about it until a request is made so there's a danger that the event will never get triggered.
in the session store, usually using some form of time-to-live. Not all session stores support events, so notification can't be done in general.
You can, however try implement your own check using setTimeout() - when it times out check if the session's expiration date is sufficiently close to now and do whatever you need to do.