Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The store change the sessions.data.expires date on each request even when the expressSession.rolling is set to false #64

Open
la40 opened this issue Nov 16, 2021 · 1 comment

Comments

@la40
Copy link

la40 commented Nov 16, 2021

That is my express session configuration.

expressSession({
    cookie: {
      maxAge: 12 * 60 * 60 * 1000, // ms
      httpOnly: true,
      sameSite: true,
      secure: process.env.NODE_ENV === "production",
    },
    rolling: false,
    name: config.get("admin.session.name"),
    secret: config.get("admin.session.secret"),
    resave: false,
    saveUninitialized: false,
    store: new PrismaSessionStore(prisma, {
      checkPeriod: 5 * 60 * 1000, //ms
      dbRecordIdIsSessionId: true,
      dbRecordIdFunction: undefined,
    }),
  })

And this is how the record in the sessions table looks like after each request.

{
    "cookie": {
        "originalMaxAge": 43200000,
        "expires": "2021-11-17T06:30:33.412Z",
        "secure": false,
        "httpOnly": true,
        "path": "/",
        "sameSite": true
    },
    "passport": {
        "user": {
            "id": 1
        }
    }
}
{
    "cookie": {
        "originalMaxAge": 43200000,
        "expires": "2021-11-17T06:30:45.264Z",
        "secure": false,
        "httpOnly": true,
        "path": "/",
        "sameSite": true
    },
    "passport": {
        "user": {
            "id": 1
        }
    }
}
{
    "cookie": {
        "originalMaxAge": 43200000,
        "expires": "2021-11-17T06:37:46.650Z",
        "secure": false,
        "httpOnly": true,
        "path": "/",
        "sameSite": true
    },
    "passport": {
        "user": {
            "id": 1
        }
    }
}

And here the Expiration of the cookie in the client's header after third request.

Wed Nov 17 2021 08:30:33 GMT+0200 (Eastern European Standard Time)

Obviously if the user surf all the time (make a lot of requests) the expiration in the database will be maxAge later then the expiration of the cookie so the sessions record will stay in the database maxAge longer. For example if the maxAge is 12 hours and the user surfs, make request all the time. The time different between the expiration of the cookie and the record in the sessions table will be a little bit less then 12 hours so this record will stay in the database for the next 12 hours until expire and check function delete it.

Solution: In my opinion the rolling option from expressSession must be taken into account.

@kleydon
Copy link
Owner

kleydon commented Dec 6, 2021

Hi @lachezargrigorov - thanks for submitting this issue.

It looks like for at least some commonly used express session stores (e.g. MongoStore) , it is expected for rolling to be used together with resave=true:

https://stackoverflow.com/questions/36352179/express-session-rolling-session-expiry-configuration
https://stackoverflow.com/q/36352179

Does this approach work in your application?

In case this issue requires additional investigation/work, here's another link that might be relevant:
jdesboeufs/connect-mongo#351 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants