session icon indicating copy to clipboard operation
session copied to clipboard

Published 20 hours ago verified publisher icon koajs

Set initial maxAge

Open zavr-1 opened this issue 6 years ago • 8 comments

The initial cookie that this middleware drops does not have expires, because maxAge is never set in properties. It is only set later when decoding the cookie, and only if it has been updated, therefore if no data was updated, the cookie is always limited to the session.

Screenshot 2019-06-29 at 04 17 48

zavr-1 avatar Jun 29 '19 01:06 zavr-1

Coverage Status

Coverage remained the same at 100.0% when pulling 0bd88b703ddc0d66365c201ac014ad4cc7624d14 on idiocc:master into a4dcdc467a1e1672256207304a8e9ceafce97f70 on koajs:master.

coveralls avatar Jun 29 '19 01:06 coveralls

Coverage Status

Coverage remained the same at 100.0% when pulling 0bd88b703ddc0d66365c201ac014ad4cc7624d14 on idiocc:master into a4dcdc467a1e1672256207304a8e9ceafce97f70 on koajs:master.

coveralls avatar Jun 29 '19 01:06 coveralls

Coverage Status

Coverage remained the same at 100.0% when pulling 0bd88b703ddc0d66365c201ac014ad4cc7624d14 on idiocc:master into a4dcdc467a1e1672256207304a8e9ceafce97f70 on koajs:master.

coveralls avatar Jun 29 '19 01:06 coveralls

There's logic in context.js to handle setting the default maxAge for a cookie, if it isn't explicitly set to session:

https://github.com/koajs/session/blob/10bb12246699101a0c87a2f3e2e09b1a79e10e33/lib/context.js#L290-L307

ONE_DAY is defined in context.js:

const ONE_DAY = 24 * 60 * 60 * 1000;

jmitchell38488 avatar Aug 18 '19 07:08 jmitchell38488

@jmitchell38488 yes but

https://github.com/koajs/session/blob/10bb12246699101a0c87a2f3e2e09b1a79e10e33/lib/context.js#L241-L250

plus my screenshot clearly shows that session's max age is not set.

zavr-1 avatar Aug 18 '19 10:08 zavr-1

What's your option config?

jmitchell38488 avatar Aug 18 '19 10:08 jmitchell38488

@jmitchell38488 there's no config. why don't you just try it for yourself and see

zavr-1 avatar Dec 22 '19 00:12 zavr-1

setup

import Koa from 'koa'
import { aqt } from 'rqt'
import session from 'koa-session'

const koa = new Koa()
const s = session(koa, {
  signed: false,
})
koa.use(s)
koa.use((ctx, next) => {
  if (ctx.path == '/max-age') {
    ctx.session.maxAge = 60 * 60 * 1000
  }
  if (ctx.path == '/confirm') {
    ctx.session.user = 'update'
  } else {
    ctx.session.user = 'hello'
  }
  ctx.body = '# ' + ctx.path
})

test

koa.listen(async function() {
  const a = 'http://localhost:' + this.address().port
  let res
  res = await aqt(a)
  log(res)
  res = await aqt(a + '/max-age')
  const { headers: { 'set-cookie': setCookie } } = res
  log(res)
  res = await aqt(a + '/test', {
    headers: { cookie: setCookie },
  })
  // console.log(res)
  log(res)
  res = await aqt(a + '/confirm')
  log(res)
  this.close()
})

const log = (res) => {
  const { body, headers: { 'set-cookie': cookie = [] } } = res
  console.log(body)
  console.log(cookie.map(s => s.split('; ').join('\n ')).join('\n'))
}

output

  1. set session without max age
# /
koa:sess=eyJ1c2VyIjoiaGVsbG8iLCJfZXhwaXJlIjoxNTc3MDY4Nzk1NjA5LCJfbWF4QWdlIjo4NjQwMDAwMH0=
 path=/
 httponly
  1. set with max age
# /max-age
koa:sess=eyJ1c2VyIjoiaGVsbG8iLCJfZXhwaXJlIjoxNTc2OTg1OTk1NjcyLCJfbWF4QWdlIjozNjAwMDAwfQ==
 path=/
 expires=Sun, 22 Dec 2019 03:39:55 GMT
 httponly
  1. accessing the page with cookies without updating them
# /test
  1. step 1 again for blank session, no max age
# /confirm
koa:sess=eyJ1c2VyIjoidXBkYXRlIiwiX2V4cGlyZSI6MTU3NzA2ODc5NTY5NCwiX21heEFnZSI6ODY0MDAwMDB9
 path=/
 httponly

zavr-1 avatar Dec 22 '19 02:12 zavr-1