session icon indicating copy to clipboard operation
session copied to clipboard

Published 20 hours ago verified publisher icon expressjs

Exclude routes from renewing express cookie expiration date

Open TGNC opened this issue 7 years ago • 4 comments

This issues somewhat related to - #452

In my project I need to have dynamic max-age for the set-cookie that authenticate the users. so on each request the user made to the server the max-age will get updated (in an hour or several..). However, there is several periodic routes which run every 30 seconds that shouldn't update the cookie max-age (because they are not user action). So after let say one hour the user didn't do any action in the system, the user session will get expired.

So if I configure the session with 'rooling' set to false (because there are response I don't want to update the max-age), it seem I can't get express to put 'set-cookie' with my max-age at all (on all requests).

how should I solve this kind of problem? what approach should I take to have express only update the max-age of specific requests.

For example code of the problem - https://stackoverflow.com/questions/40403609/how-to-exclude-routes-from-renewing-express-cookie-expiration-date

TGNC avatar May 13 '18 14:05 TGNC

This is not a issue related with express-session library. If you want dynamic max-age cookie expiration use the following example:

var express = require('express');
var session = require('express-session');
var app = express();

app.use(session({ secret: 'mysecret', cookie: { maxAge: 60000 }}))

// Dynamic cookie expiration
app.get('/update', (req, res) => {
    if (req.session.views) {
        req.session.views = req.session.views + 1;
        
        // Update cookie expiration
        req.session.cookie.maxAge =  req.session.cookie.maxAge  + 60000;
        
        res.setHeader('Content-Type', 'text/html');
        res.write('<p>views: ' + req.session.views + '</p>');
        res.write('<p>expires in: ' + req.session.cookie.maxAge + 's</p>');
        res.end();
    } else {
        req.session.views = 1
        res.end('Welcome. refresh!')
    }
});

// No dynamic cookie expiration
app.get('/no-update', (req, res) => {
    res.setHeader('Content-Type', 'text/html');
    res.write('<p>views: ' + req.session.views + '</p>');
    res.write('<p>expires in: ' + req.session.cookie.maxAge + 's</p>');
    res.end();
});

app.listen(3000, ()=> {
    console.log('Server running');
});

isidroamv avatar Jun 15 '18 17:06 isidroamv

@TGNC I'm curious how you addressed this. I needed to implement this and didn't find generic way using the lib, so this is the approach that I'm using.

// server/middleware/session.js
import session from 'express-session'

const buildSessionConfig = (options) => session({
  ...,
  rolling: options.rolling,
})

const rollingSession    = buildSessionConfig({ rolling: true })
const nonRollingSession = buildSessionConfig({ rolling: false })

export default (req, res, next) => {
  if (req.path.startsWith('/pooling/')) {
    nonRollingSession(req, res, next)
  } else {
    rollingSession(req, res, next)
  }
}

// server/index.js
import Express from 'express'
import session from 'middleware/session'

const app = Express()
app.use(session)

rafaelsales avatar Oct 10 '18 14:10 rafaelsales

To me, the ideal solution is to make the rolling option accept a function(req) => [true|false]

rafaelsales avatar Oct 10 '18 14:10 rafaelsales

@TGNC Does the solution provided by @isidroamv helped resolving your issue ??

HarshithaKP avatar Oct 31 '19 09:10 HarshithaKP