parse-server
parse-server copied to clipboard
parse-community
extendSessionOnUse not working as expected
New Issue Checklist
- [x] I am not disclosing a vulnerability.
- [x] I am not just asking a question.
- [x] I have searched through existing issues.
- [x] I can reproduce the issue with the latest version of Parse Server.
Issue Description
Issue with 'extendSessionOnUse' I don't understand how this feature works. So this is where the magic happens and the session gets extended.
const lastUpdated = new Date((_session = session) === null || _session === void 0 ? void 0 : _session.updatedAt);
const yesterday = new Date();
yesterday.setDate(yesterday.getDate() - 1);
if (lastUpdated > yesterday || !session) {
return;
}
const expiresAt = config.generateSessionExpiresAt();
await new _RestWrite.default(config, master(config), '_Session', {
objectId: session.objectId
}, {
expiresAt: Parse._encode(expiresAt)
}).execute();
But looking at this piece of code it takes lastUpdated and yesterday and if lastUpdated is greater than yesterday it returns.
So if I've doing 60 minute sessions, well this will never actually extend the session. So for this to work a session needs to be at least 24 hours.
This isn't documented anywhere and it's counterintuitive.
Am I missing something.
Steps to reproduce
Enable extendSessionOnUse.
Set session to 60 minutes.
Perform actions for authenticated user and look at session expiry. it doesn't update.
Now set session to 48 hours.
Perform actions and notice that session expiry does update.
Actual Outcome
I expect Session expiry to update for any session duration.
Expected Outcome
I expect Session expiry to update for any session duration.
Environment
NodeJS 21
Server
- Parse Server version: `6.4
- Operating system:
Ubuntu 22 - Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc):
local
Database
- System (MongoDB or Postgres): `MongoDB
- Database version:
6.0 - Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc):
local
Client
- SDK (iOS, Android, JavaScript, PHP, Unity, etc):
REST - SDK version:
REST
Logs
N/A
Thanks for opening this issue!
- 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.
![parse-github-assistant[bot] avatar](https://avatars.githubusercontent.com/in/136195?v=4 "Published by a pub.dev verified publisher"){kind=small}
Last time I tried to use this I came to the same conclusion (IIRC). I think not updating the session expiration on every use is actually a good design decision, as it would hit the Mongo with session object write with every authenticated read. But it may be wise to perhaps make this configurable or invent some better update magic.
For example, if the session expiration is set to N days, it would be wise to extend the use every day.
If the session expiration is set to N minutes, it may be wise to extend every minute.
if session expires in N hours (but less then a day), it may be wise to update every hour.
so hardcoding 24 hours probably makes sense for longer session expirations in days, and does not work at all for sessions with expirations in hours or minutes.
Please feel free to open a PR; likely a simple fix, just remove the yesterday var.
@vivekjoshi556 Please do work on this, I will beta test for you. I have a good idea above how to fix it without incurring additional writes on Mongo, but I will not have a time to look at it in the near future!
