Ended sessions are not being destroyed

Question

My application is using connect-mongo, express-session, keystone and passport handling login and user sessions.

However, when a session ends (user logs out or closing the browser window) the session is not removed from the MongoDB session store.

Here's my middleware setup:

var express = require('express')
    , path = require('path')
    , cookieParser = require('cookie-parser')
    , bodyParser = require('body-parser')
    , passport = require('passport')
    , session = require('express-session')
    , mongoStore = require('connect-mongo')(session)
    , compression = require('compression')
    , favicon = require('serve-favicon')
    , config = require('../config')
    , flash = require('connect-flash');

app.use(bodyParser.json({limit: '50mb'}));
app.use(bodyParser.urlencoded({limit: '50mb', parameterLimit: 52428800, extended: true}));
app.use(cookieParser(process.env.COOKIE_SECRET));
app.use(compression());
app.use(express.static(path.join(__dirname, '../', config.get('staticContentPath')), {
    maxAge: (60 * 60 * 24 * 7) * 1000 
}));

app.use(session({
    secret: process.env.COOKIE_SECRET,
    resave: false,
    saveUninitialized: true,
    cookie: {
        maxAge: 24 * 60 * 60 * 1000 // 24 hrs
    },
    store: new mongoStore({
        url: config.get('mongo')
    })
}));

app.use(passport.initialize());
app.use(passport.session());

The collection name for sessions in MongoDB is app_sessions. A search in my dependency tree reveals that this is handled by the Keystone CMS.

Also the cookie name is keystone.sid

This is my Keystone config:

var config = require('../../lib/config')
    , keystone = require('keystone');

module.exports = function(app){

    keystone.init({
        'app': app,
        'port': config.get('keystone').port,
        'brand': config.get('sitename'),
        'views': app.get('views'),
        'view engine': app.get('view engine'),
        'custom engine': app.get('custom engine'),
        'auto update': false,
        'session': true,
        'session store': 'mongo',
        'auth': true,
        'user model': 'Account',
        'cookie secret': process.env.COOKIE_SECRET,
        'compress': true,
        'frame_guard': 'deny',
        'mongo': config.get('mongo')
    });

    keystone.import('../../lib/models');
    keystone.start();
};

And finally some example session objects from MongoDB:

{ 
    "_id" : "GUL2jwhCvqZHO7Gqy8KCHod1qJmrl6j4", 
    "session" : "{\"cookie\":{\"originalMaxAge\":null,\"expires\":null,\"httpOnly\":true,\"path\":\"/\"},\"_garbage\":\"2016-08-17T13:01:53.475Z\",\"guestPageViews\":1,\"flash\":{}}", 
    "expires" : ISODate("2016-08-31T13:01:57.642+0000")
},
{ 
    "_id" : "C-4cuoyIGHgYM8hLGhQVOv3bRwChwkxq", 
    "session" : "{\"cookie\":{\"originalMaxAge\":null,\"expires\":null,\"httpOnly\":true,\"path\":\"/\"},\"_garbage\":\"2016-08-17T13:02:44.000Z\",\"guestPageViews\":1,\"flash\":{}}", 
    "expires" : ISODate("2016-08-31T13:02:51.473+0000")
},
{ 
    "_id" : "foE9ewU3eoJXIzkW97GSbMGNzFt2W4ww", 
    "session" : "{\"cookie\":{\"originalMaxAge\":null,\"expires\":null,\"httpOnly\":true,\"path\":\"/\"},\"_garbage\":\"2016-08-17T13:04:35.294Z\",\"guestPageViews\":1,\"flash\":{}}", 
    "expires" : ISODate("2016-08-31T13:04:38.979+0000")
},
{ 
    "_id" : "P8ugG4TFHJAuCzNS9aCMSybIS25uFtL1", 
    "session" : "{\"cookie\":{\"originalMaxAge\":null,\"expires\":null,\"httpOnly\":true,\"path\":\"/\"},\"userId\":\"56cadedbc580346a1bd0ee0c\",\"_garbage\":\"2016-08-17T23:57:03.615Z\",\"flash\":{}}", 
    "expires" : ISODate("2016-08-31T23:57:05.203+0000")
}

Can you spot why the sessions would not be destroyed?

score 0 · Answer 1 · edited May 23 '17 at 12:24

0

Why user is logged in even after closing browser?

Obviously because its is a good feature. to maintain a session even after browser is closed. but any how If you want to expire session on closing of browser then you can set the maxAge to -1

Why it is not removing the session data even after logged out?

I think thats what developer of keystone.JS might have chosen. I was just looking at signout function in the keystone/lib/session.js.

Here it is calling req.session.regenerate.

probably it should have called req.session.destroy instead. I just tried to do that change and test. but still I could see the sessions in Database. Then I think. the solution is clear_interval

edited May 23 '17 at 12:24

Community

1
1

answered Aug 21 '16 at 05:21

enRaiser

2,606
2
21
39

Perhaps I don't fully understand how sessions are supposed to work then. I was under the impression that stored sessions should be deleted when the session ends, but you are saying that as per design, they are kept in the session store, so they can be reused? – ChrisRich Aug 21 '16 at 11:12
no I havent sid that.? did you tried clear_interval suggestion.? I tired but could not get success. – enRaiser Aug 21 '16 at 11:21
I didn't say, that you said, that I didn't understand sessions. I said that :-) I'm just starting to think that I should leave the sessions as they are and keep them in the session store. It is probably how it is supposed to work. – ChrisRich Aug 21 '16 at 11:31
hahaha, true, the only issue you will face is when servre shuts down . users will forced to login. – enRaiser Aug 21 '16 at 11:34

Ended sessions are not being destroyed

1 Answers1