Setting Node.js Express session expiration time in SessionStore in stead of in cookie

node.js session cookies express session-cookies

38,350

With the Session middleware, only the encrypted session ID is stored in the client side cookie. The expired date is stored as req.session.cookie.expires in the server side store. So we can add a custom middle to check whether current session is expired.

// ...
app.use(express.cookieParser());
app.use(express.session({secret:'yoursecret', cookie:{maxAge:6000}}));

app.use(function(req, res, next) {
  // if now() is after `req.session.cookie.expires`
  //   regenerate the session
  next();
});

// ...

38,350

Author by

Redsandro

Lazy Media Creator #SOreadytohelp

Updated on July 27, 2022

Comments

Redsandro almost 2 years
Everything I can find on Express Sessions expiring times is about setting the cookie.
```
session.cookie.expires = null; // Browser session cookie  
session.cookie.expires = 7 * 24 * 3600 * 1000; // Week long cookie
```
But the expire date of cookies is not 'secured' with your secret, as these are just cookie settings your browser manages.

How can I set the expire date of the session in the session store? Because theoretically, when someone uses your computer, they can 'fix' the expiration time of an expired cookie and continue the session, if the server side session isn't also expired at the same time as the cookie.

I can't find anything about how this works or how to set/change this.
Thor84no over 8 years

Always copy the most relevant bits to the answer so someone can still solve their problem even if your link goes dead.
ggorlen about 3 years

Your answer is in another castle