ExpressJS session expiring despite activity

Question

Bringing this question to SO since the express group didn't have an answer.

I'm setting the session maxAge = 900000 and I see that the the expires property on the session cookie is set correctly. However, on subsequent requests the timeout is not being extended. It is never extended and the cookie eventually expires.

The session middleware docs say that Session#touch() isn't necessary because the session middleware will do it for me. I actually tried calling req.session.touch() manually and that did nothing, I also tried setting the maxAge on the req.session.cookie as well and that did nothing :-(

Am I missing a setting somewhere to automatically extend active sessions? Short of recreating the cookie manually on each request is there any other way to extend a session timeout after end-user activity?

EDIT: I experienced this problem in express v3. I'm not 100% sure but I think this note from the express changelog may have been the culprit:

changed session() to only set-cookie on modification (hashed session json)

I have used express 2.x in one of my project last one year. It's working as awesome on handling session-cookie and more there is a lot of things to focus in this case. You have to confirm with your cookies properties like path, protocal(http only) and secure. In general, any HTTP transaction will expect the cookie which is set by previous request for further process of authentication. So do some debug in client(Browser) by using firebug or Chrome debugger.And Post your code snippet to give more relevant answer — HILARUDEEN S ALLAUDEEN, Jan 25 '13 at 09:29
@jckdnk111 - that changelog link seems to have gone - do you have another? — UpTheCreek, Sep 21 '15 at 11:26

score 34 · Answer 1 · edited Aug 06 '17 at 13:32

34

Rolling sessions now exist in express sessions. Setting the rolling attribute to true in the options, it will recalculate the expiry value by setting the maxAge offset, applied to the current time.

https://github.com/expressjs/session/issues/3

https://github.com/expressjs/session/issues/33

https://github.com/expressjs/session (search for rolling)

For example, note the rolling:

app.use(session({
  secret: 'a secret',
  cookie: {
    path: '/',
    httpOnly: true,
    secure: false,
    maxAge: 10 * 60 * 1000
  },
  rolling: true
}));

edited Aug 06 '17 at 13:32

Community

1
1

answered Jul 17 '14 at 03:25

gdw2

7,558
4
46
49

2

This should be the accepted answer as per the latest config option provided by express-session module. – Piyush Beli Jan 15 '17 at 14:36
upvoted! what is the value of resave in your setting? does it being false or true affect rolling? – PirateApp Nov 15 '19 at 16:44

score 19 · Accepted Answer · answered Jan 25 '13 at 20:30

19

Here is the solution in case anyone else has the same issue:

function (req, res, next) {

    if ('HEAD' == req.method || 'OPTIONS' == req.method) return next();

    // break session hash / force express to spit out a new cookie once per second at most
    req.session._garbage = Date();
    req.session.touch();

    next();

}

answered Jan 25 '13 at 20:30

jckdnk111

2,280
5
33
43

2

Shouldn't this be reported as a bug? – UpTheCreek May 13 '13 at 09:03
I asked about it on the forums and no one seemed to think so. I suppose it could be thought of as a feature since you actually have control over when to extend or not extend the session. – jckdnk111 May 13 '13 at 19:25
12

Seems like strange default behaviour to me! – UpTheCreek May 14 '13 at 07:36
Indeed, it is counter intuitive at least. Spent an hour trying to figure out why it doesn't work out of the box despite the manual session.touch() call. Thanks a lot man. – Igor Malyk Nov 22 '13 at 13:11
1

There is a bug report about this behaviour: https://github.com/senchalabs/connect/issues/670 – Chris Foster Dec 18 '13 at 23:46
What is this mean `req.session._garbage = Date();` ?? – Jan 15 '19 at 13:58

ExpressJS session expiring despite activity

2 Answers2

Linked