ExpressJS session expiring despite activity
Solution 1
Here is the solution in case anyone else has the same issue:
function (req, res, next) {
if ('HEAD' == req.method || 'OPTIONS' == req.method) return next();
// break session hash / force express to spit out a new cookie once per second at most
req.session._garbage = Date();
req.session.touch();
next();
}
Solution 2
Rolling sessions now exist in express sessions. Setting the rolling attribute to true in the options, it will recalculate the expiry value by setting the maxAge offset, applied to the current time.
https://github.com/expressjs/session/issues/3
https://github.com/expressjs/session/issues/33
https://github.com/expressjs/session (search for rolling)
For example, note the rolling
:
app.use(session({
secret: 'a secret',
cookie: {
path: '/',
httpOnly: true,
secure: false,
maxAge: 10 * 60 * 1000
},
rolling: true
}));
Related videos on Youtube
jckdnk111
Updated on July 05, 2022Comments
-
jckdnk111 almost 2 years
Bringing this question to SO since the express group didn't have an answer.
I'm setting the session maxAge = 900000 and I see that the the expires property on the session cookie is set correctly. However, on subsequent requests the timeout is not being extended. It is never extended and the cookie eventually expires.
The session middleware docs say that Session#touch() isn't necessary because the session middleware will do it for me. I actually tried calling
req.session.touch()
manually and that did nothing, I also tried setting the maxAge on thereq.session.cookie
as well and that did nothing :-(Am I missing a setting somewhere to automatically extend active sessions? Short of recreating the cookie manually on each request is there any other way to extend a session timeout after end-user activity?
EDIT: I experienced this problem in express v3. I'm not 100% sure but I think this note from the express changelog may have been the culprit:
-
HILARUDEEN S ALLAUDEEN over 11 yearsI have used express 2.x in one of my project last one year. It's working as awesome on handling session-cookie and more there is a lot of things to focus in this case. You have to confirm with your cookies properties like path, protocal(http only) and secure. In general, any HTTP transaction will expect the cookie which is set by previous request for further process of authentication. So do some debug in client(Browser) by using firebug or Chrome debugger.And Post your code snippet to give more relevant answer
-
UpTheCreek over 8 years@jckdnk111 - that changelog link seems to have gone - do you have another?
-
-
UpTheCreek almost 11 yearsShouldn't this be reported as a bug?
-
jckdnk111 almost 11 yearsI asked about it on the forums and no one seemed to think so. I suppose it could be thought of as a feature since you actually have control over when to extend or not extend the session.
-
UpTheCreek almost 11 yearsSeems like strange default behaviour to me!
-
Igor Malyk over 10 yearsIndeed, it is counter intuitive at least. Spent an hour trying to figure out why it doesn't work out of the box despite the manual session.touch() call. Thanks a lot man.
-
Chris Foster over 10 yearsThere is a bug report about this behaviour: github.com/senchalabs/connect/issues/670
-
Piyush Beli over 7 yearsThis should be the accepted answer as per the latest config option provided by express-session module.
-
Admin over 5 yearsWhat is this mean
req.session._garbage = Date();
?? -
PirateApp over 4 yearsupvoted! what is the value of resave in your setting? does it being false or true affect rolling?