connect-mongo icon indicating copy to clipboard operation
connect-mongo copied to clipboard

Published 20 hours ago verified publisher icon jdesboeufs

touch does not update session.cookie.expires

Open thernstig opened this issue 4 years ago • 34 comments

When resave: false and rolling: true then the store will update the top-level expires in the session database on each request. express-session will also update the cookie and send it with every response.

The problem is that the stored document at the path session.cookie.expires does not get updated, so it is out-of-sync with both the top level expires as well as the expires in the cookie.

Since the touch() implementation already sends a call to the database to update the top-level expires should it not also update session.cookie.expires ?

This is the configuration of express-session:

  const store = new MongoStore({
    mongooseConnection: db,
    stringify: false,
  });

    session({
      secret: 'some_secret',
      resave: false,
      rolling: true,
      saveUninitialized: false,
      cookie: {
        maxAge: 60000,
        secure: true,
        httpOnly: true,
      },
      store,
    })

The actual document saved to the store looks something like this:

{
  "_id": "f2yQHE_BPi6UKV4pMuM7xluGPwQIhxIU",
  "expires": {
    "$date": "2020-02-03T15:23:54.646Z"
  },
  "session": {
    "cookie": {
      "originalMaxAge": 3599997,
      "expires": {
        "$date": "2020-02-03T15:04:06.890Z"
      },
      "secure": false,
      "httpOnly": true,
      "domain": null,
      "path": "/",
      "sameSite": null
    },
    "passport": {
      "user": "someUser"
    }
  }
}

thernstig avatar Feb 03 '20 14:02 thernstig

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 03 '20 14:04 stale[bot]

Activity!

thernstig avatar Apr 03 '20 15:04 thernstig

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 02 '20 15:06 stale[bot]

Unstale

thernstig avatar Jun 02 '20 20:06 thernstig

So what is the expected behavior? The inner expires should sync with the outer one? If it is a bug. What is the current impact?

mingchuno avatar Jul 20 '20 07:07 mingchuno

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 18 '20 10:09 stale[bot]

Unstale

thernstig avatar Sep 18 '20 13:09 thernstig

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Nov 19 '20 03:11 stale[bot]

unstale

Ping @mingchuno

thernstig avatar Nov 19 '20 16:11 thernstig

As cookie expiration may be taken from the session line, it may lead to bugs if these two lines won't be synchronized. I think adding updateFields.session = this.transformFunctions.serialize(session) should fix this.

https://github.com/jdesboeufs/connect-mongo/blob/6c62235206dcfd6c8e1bf5b73927b6b1297b5e65/src/index.js#L350-L352

AaronPorts avatar Nov 20 '20 18:11 AaronPorts

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jan 20 '21 00:01 stale[bot]

unstale

thernstig avatar Jan 21 '21 15:01 thernstig

Ping @YC

thernstig avatar Jan 21 '21 15:01 thernstig

https://github.com/jdesboeufs/connect-mongo/blob/6c62235206dcfd6c8e1bf5b73927b6b1297b5e65/src/index.js#L350-L354

https://github.com/jdesboeufs/connect-mongo/blob/6c62235206dcfd6c8e1bf5b73927b6b1297b5e65/test/legacy-tests.test.js#L525-L532

https://github.com/jdesboeufs/connect-mongo/blob/6c62235206dcfd6c8e1bf5b73927b6b1297b5e65/test/legacy-tests.test.js#L540-L547

The tests seem to be inconsistent as to what should be passed in the touch function.

YC avatar Jan 22 '21 01:01 YC

@YC do you recon what I described in my original post is the correct thing?

thernstig avatar Jan 22 '21 10:01 thernstig

If the cookie is updated due to rolling, I think it makes sense for session.cookie and its expiry to be updated accordingly also. https://github.com/expressjs/session/issues/33#issuecomment-42497814

YC avatar Jan 22 '21 11:01 YC

@YC great, looking forward to the fix :)

thernstig avatar Jan 25 '21 13:01 thernstig

@thernstig @YC I have just rewrite the code using TS and published a new version! Can you please help me try it out to see of it fix your issue? https://www.npmjs.com/package/connect-mongo

mingchuno avatar Feb 22 '21 09:02 mingchuno

I did a few tests on the effects of resave and rolling.

v3
resave: true,  rolling: true    expires, session.cookie.expires updates
resave: true,  rolling: false   expires, session.cookie.expires updates
resave: false, rolling: true    expires updates
resave: false, rolling: false   expires updates

v4
all combinations                expires, session.cookie.expires updates

Therefore, I think that the changes in #383 may have fixed resave: false, rolling: true but introduced regressions in other combinations. Apologies for this.

YC avatar Feb 22 '21 13:02 YC

@YC Ya. I exactly patch your code to v4 but I didn't test thoroughly. So should we revert the changes first ? I love your table and I should probely convert it to some kind of unit test ... 🤔

mingchuno avatar Feb 22 '21 14:02 mingchuno

@YC Btw can you give me a table on the expected behaviour?

mingchuno avatar Feb 22 '21 15:02 mingchuno

Maybe it will be better to roll back the change first. I'm currently unsure about the effects of expires and session.cookie.expires and whether they should always stay in sync. To make sure, I think a closer look needs to be taken at why both exists and integration tests with express-session will have to be written. Unfortunately, I don't currently have time to further investigate, but will come back to the issue if it drags out. Again, apologies for this.

YC avatar Feb 23 '21 06:02 YC

@YC I have just reverted it in develop branch. https://github.com/jdesboeufs/connect-mongo/commit/82e1831b80fc5982b31a14b8db7dd0490d42d3a9 I will group the bug fixes and cut a release later.

mingchuno avatar Feb 23 '21 06:02 mingchuno

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 02 '21 16:06 stale[bot]

unstale

thernstig avatar Jun 02 '21 17:06 thernstig

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Aug 03 '21 02:08 stale[bot]

unstale

YC avatar Aug 03 '21 02:08 YC

@YC What still need to be follow up on this issue?

mingchuno avatar Aug 03 '21 03:08 mingchuno

Current Behavior

resave rolling expires session.expires
false false y n
false true y n
true false y y
true true y y

Expected Behavior (my opinion)

I performed a quick search on expires. It seems like to me that it (the top level expires) is used to perform faster queries and should reflect the value in the cookie.

resave rolling expires session.expires Justification
false false n n If session is not modified and resave is false, then db should be unchanged.
false true y y "With [rolling] enabled, the session identifier cookie will expire in maxAge since the last response was sent instead of in maxAge since the session was last modified by the server." Expiration always rolling. (See discussion in issue linked above)
true false n n resave forces the session to be saved back to the session store. No mention of expires
true true y y "With [rolling] enabled, the session identifier cookie will expire in maxAge since the last response was sent instead of in maxAge since the session was last modified by the server."

Reference: https://expressjs.com/en/resources/middleware/session.html

Happy to have a look at code if everyone agrees.

YC avatar Aug 03 '21 08:08 YC

Here are the logs from the different cases.

resave: true, rolling: true
2021-08-07T06:00:39.109Z connect-mongo create MongoStore instance
2021-08-07T06:00:39.113Z connect-mongo Creating MongoDB TTL index
Sat, 07 Aug 2021 06:00:39 GMT express-session no SID sent, generating session
Sat, 07 Aug 2021 06:00:39 GMT express-session saving DJW_JaSWR-41-zW3df0G0g7HB8t5bwK4
2021-08-07T06:00:39.119Z connect-mongo MongoStore#set=DJW_JaSWR-41-zW3df0G0g7HB8t5bwK4
Sat, 07 Aug 2021 06:00:39 GMT express-session split response
Session {
  cookie: {
    path: '/',
    _expires: 2021-08-08T06:00:39.119Z,
    originalMaxAge: 86400000,
    httpOnly: true
  },
  x: 0
}
Sat, 07 Aug 2021 06:00:39 GMT express-session set-cookie connect.sid=s%3ADJW_JaSWR-41-zW3df0G0g7HB8t5bwK4.Mlxlz9E4Fec%2BzWdLz%2F1GwBnUpo9w1vQ2H2FDxz1GAOY; Path=/; Expires=Sun, 08 Aug 2021 06:00:39 GMT; HttpOnly
Sat, 07 Aug 2021 06:00:40 GMT express-session fetching DJW_JaSWR-41-zW3df0G0g7HB8t5bwK4
2021-08-07T06:00:40.629Z connect-mongo MongoStore#get=DJW_JaSWR-41-zW3df0G0g7HB8t5bwK4
Sat, 07 Aug 2021 06:00:40 GMT express-session session found
Sat, 07 Aug 2021 06:00:40 GMT express-session saving DJW_JaSWR-41-zW3df0G0g7HB8t5bwK4
2021-08-07T06:00:40.634Z connect-mongo MongoStore#set=DJW_JaSWR-41-zW3df0G0g7HB8t5bwK4
Sat, 07 Aug 2021 06:00:40 GMT express-session split response
Session {
  cookie: {
    path: '/',
    _expires: 2021-08-08T06:00:40.634Z,
    originalMaxAge: 86400000,
    httpOnly: true,
    secure: null,
    domain: null,
    sameSite: null
  },
  x: 0
}
Sat, 07 Aug 2021 06:00:40 GMT express-session set-cookie connect.sid=s%3ADJW_JaSWR-41-zW3df0G0g7HB8t5bwK4.Mlxlz9E4Fec%2BzWdLz%2F1GwBnUpo9w1vQ2H2FDxz1GAOY; Path=/; Expires=Sun, 08 Aug 2021 06:00:40 GMT; HttpOnly

resave: false, rolling: true
2021-08-07T06:00:40.648Z connect-mongo create MongoStore instance
2021-08-07T06:00:40.655Z connect-mongo Creating MongoDB TTL index
Sat, 07 Aug 2021 06:00:40 GMT express-session no SID sent, generating session
Sat, 07 Aug 2021 06:00:40 GMT express-session saving tDfmWIhYXIVhMQKU75xOA7EhrHIsFUM_
2021-08-07T06:00:40.662Z connect-mongo MongoStore#set=tDfmWIhYXIVhMQKU75xOA7EhrHIsFUM_
Sat, 07 Aug 2021 06:00:40 GMT express-session split response
Session {
  cookie: {
    path: '/',
    _expires: 2021-08-08T06:00:40.662Z,
    originalMaxAge: 86400000,
    httpOnly: true
  },
  x: 0
}
Sat, 07 Aug 2021 06:00:40 GMT express-session set-cookie connect.sid=s%3AtDfmWIhYXIVhMQKU75xOA7EhrHIsFUM_.sQdrQCEzsT7%2Boc6LXJJZJEUCi%2BWLNQgEajuayXEVefQ; Path=/; Expires=Sun, 08 Aug 2021 06:00:40 GMT; HttpOnly
Sat, 07 Aug 2021 06:00:42 GMT express-session fetching tDfmWIhYXIVhMQKU75xOA7EhrHIsFUM_
2021-08-07T06:00:42.173Z connect-mongo MongoStore#get=tDfmWIhYXIVhMQKU75xOA7EhrHIsFUM_
Sat, 07 Aug 2021 06:00:42 GMT express-session session found
Sat, 07 Aug 2021 06:00:42 GMT express-session touching
2021-08-07T06:00:42.177Z connect-mongo MongoStore#touch=tDfmWIhYXIVhMQKU75xOA7EhrHIsFUM_
Session {
  cookie: {
    path: '/',
    _expires: 2021-08-08T06:00:42.177Z,
    originalMaxAge: 86400000,
    httpOnly: true,
    secure: null,
    domain: null,
    sameSite: null
  },
  x: 0
}
Sat, 07 Aug 2021 06:00:42 GMT express-session split response
Sat, 07 Aug 2021 06:00:42 GMT express-session set-cookie connect.sid=s%3AtDfmWIhYXIVhMQKU75xOA7EhrHIsFUM_.sQdrQCEzsT7%2Boc6LXJJZJEUCi%2BWLNQgEajuayXEVefQ; Path=/; Expires=Sun, 08 Aug 2021 06:00:42 GMT; HttpOnly
Sat, 07 Aug 2021 06:00:42 GMT express-session touched

resave: true, rolling: false
2021-08-07T06:00:42.209Z connect-mongo create MongoStore instance
2021-08-07T06:00:42.212Z connect-mongo Creating MongoDB TTL index
Sat, 07 Aug 2021 06:00:42 GMT express-session no SID sent, generating session
Sat, 07 Aug 2021 06:00:42 GMT express-session saving glO8qxkC2gEkvf8IXsPR5Qtl0zL0rgyW
2021-08-07T06:00:42.216Z connect-mongo MongoStore#set=glO8qxkC2gEkvf8IXsPR5Qtl0zL0rgyW
Sat, 07 Aug 2021 06:00:42 GMT express-session split response
Session {
  cookie: {
    path: '/',
    _expires: 2021-08-08T06:00:42.216Z,
    originalMaxAge: 86400000,
    httpOnly: true
  },
  x: 0
}
Sat, 07 Aug 2021 06:00:42 GMT express-session set-cookie connect.sid=s%3AglO8qxkC2gEkvf8IXsPR5Qtl0zL0rgyW.n0ndWlNgUA4F5dQPto6h2wTHB7W2oG3rE0VUv%2BbZuj4; Path=/; Expires=Sun, 08 Aug 2021 06:00:42 GMT; HttpOnly
Sat, 07 Aug 2021 06:00:43 GMT express-session fetching glO8qxkC2gEkvf8IXsPR5Qtl0zL0rgyW
2021-08-07T06:00:43.725Z connect-mongo MongoStore#get=glO8qxkC2gEkvf8IXsPR5Qtl0zL0rgyW
Sat, 07 Aug 2021 06:00:43 GMT express-session session found
Sat, 07 Aug 2021 06:00:43 GMT express-session saving glO8qxkC2gEkvf8IXsPR5Qtl0zL0rgyW
2021-08-07T06:00:43.730Z connect-mongo MongoStore#set=glO8qxkC2gEkvf8IXsPR5Qtl0zL0rgyW
Sat, 07 Aug 2021 06:00:43 GMT express-session split response
Session {
  cookie: {
    path: '/',
    _expires: 2021-08-08T06:00:43.730Z,
    originalMaxAge: 86400000,
    httpOnly: true,
    secure: null,
    domain: null,
    sameSite: null
  },
  x: 0
}

resave: false, rolling: false
2021-08-07T06:00:43.746Z connect-mongo create MongoStore instance
2021-08-07T06:00:43.753Z connect-mongo Creating MongoDB TTL index
Sat, 07 Aug 2021 06:00:43 GMT express-session no SID sent, generating session
Sat, 07 Aug 2021 06:00:43 GMT express-session saving SEBpItQ9cEs2qWWZVIgQbTpuWXieEzg5
2021-08-07T06:00:43.761Z connect-mongo MongoStore#set=SEBpItQ9cEs2qWWZVIgQbTpuWXieEzg5
Sat, 07 Aug 2021 06:00:43 GMT express-session split response
Session {
  cookie: {
    path: '/',
    _expires: 2021-08-08T06:00:43.761Z,
    originalMaxAge: 86400000,
    httpOnly: true
  },
  x: 0
}
Sat, 07 Aug 2021 06:00:43 GMT express-session set-cookie connect.sid=s%3ASEBpItQ9cEs2qWWZVIgQbTpuWXieEzg5.cEF8QS9s9bj%2FsOX0w2TICNlGFHeUwQChBo0z4DBoXFI; Path=/; Expires=Sun, 08 Aug 2021 06:00:43 GMT; HttpOnly
Sat, 07 Aug 2021 06:00:45 GMT express-session fetching SEBpItQ9cEs2qWWZVIgQbTpuWXieEzg5
2021-08-07T06:00:45.272Z connect-mongo MongoStore#get=SEBpItQ9cEs2qWWZVIgQbTpuWXieEzg5
Sat, 07 Aug 2021 06:00:45 GMT express-session session found
Sat, 07 Aug 2021 06:00:45 GMT express-session touching
2021-08-07T06:00:45.277Z connect-mongo MongoStore#touch=SEBpItQ9cEs2qWWZVIgQbTpuWXieEzg5
Sat, 07 Aug 2021 06:00:45 GMT express-session split response
Session {
  cookie: {
    path: '/',
    _expires: 2021-08-08T06:00:45.276Z,
    originalMaxAge: 86400000,
    httpOnly: true,
    secure: null,
    domain: null,
    sameSite: null
  },
  x: 0
}
Sat, 07 Aug 2021 06:00:45 GMT express-session touched

rolling seems to trigger set-cookie, which follows from https://github.com/expressjs/session/blob/master/index.js#L472 resave: true causes set to be called, instead of touch. However, I don't see a way to keep the db in sync. Any ideas?

YC avatar Aug 07 '21 06:08 YC

unstale.....

LouisVA avatar Feb 25 '22 22:02 LouisVA

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 28 '22 00:04 stale[bot]

Since it's not perhaps very clear how this mechanism works, it might be beneficial to write some integration tests against express-session. Unassigning myself for now...

YC avatar Apr 28 '22 01:04 YC