0

I'm currently using express-session with connect-mongodb-session to store sessions and cookies.

This is my implementation:

app.js

const store = new MongoDBStore({
    uri: mongoURI,
    collection: 'mySessions'
});

app.use(session({
    secret: 'whatever',
    store: store,
    resave: false,
    saveUninitialized: true,
    cookie: {
        maxAge: 30000 // only 30 secs to to help with testing
    }
}))

app.use(express.urlencoded({ extended: true }))

app.use(async (req, res, next) => {
    console.log('req.session', req.session)
    try {
        if (req.session && req.session.userId) {
            const user = await User.findById(req.session.userId)
            req.user = user
            req.session.auth = true
            res.locals.auth = req.session.auth
        } else {
            res.locals.auth = null
        }

        next()

    } catch (error) {
        console.log('auth middleware error', error)
    }
})

Right now I'm using 30 seconds for maxAge so I can test the behaviour of the app.

What happens is if the user closes the browser and comes back before 30 seconds, they remain logged in. Else, the cookie is no longer valid and the user has to log in again. This is ok.

However, if the user is browsing and, after 30 seconds, they make any request, the cookie is no longer active.

I'd like to make like this: If the user is using the app, but the 30 seconds maxAge is done, the session and cookie are renewed automatically, with a renewed maxAge, so the user doesn't have to log in again while he is using the app.

But if the user closed the browser and came back after maxAge, they are required to login again (which already happens).

Thank you.

Eulavo
  • 59
  • 5
  • I'm not sure this is possible, because the behaviors of the user either not using the app for after 30 seconds and making a request, and the user not using the app after 30 seconds but then continuing to use it (hence making requests) are virtually the exact same. So I would say this isn't possible. – roger Jan 20 '22 at 20:36
  • What I mean is, for instance, everytime the user makes a request, maxAge is renewed. I don't know how to explain or how it is implemented, sorry. But It's like when using StackOverflow. You dont get automatically logged out when you're already logged in, unless u didnt use the site for a long time so the session was never update (since u spent a long time without making a new request). – Eulavo Jan 20 '22 at 21:42
  • got it, okay. My suggestion would be to use longer timeouts. I wouldn't know any other way unless you can utilize `express-session` variables to set your session everytime you make a request, but not sure that would work. – roger Jan 20 '22 at 22:11
  • Does this answer your question? [How to extend express session timeout](https://stackoverflow.com/questions/46630368/how-to-extend-express-session-timeout) – Joe Jan 21 '22 at 11:54
  • @Joe Almost. Now, as long as the user is making requests, they remain logged in, which is definitely an improvement. But if the user is logged in, still browsing, and remains idle for 30 secs (the maxAge), they get logged out. What I need is a way for the user to remain logged in if they are browsing but not making a request. The session needs to expire ONLY if the user closed the browser AND MaxAge is expired. So, for instance, if the user is logged in StackOverFlow and they are reading a question but not making requests, and maxAge expires, maxAge is reset. – Eulavo Jan 21 '22 at 15:39
  • That's going to be difficult unless you're making some kind of regular ping behind the scenes, essentially a poller that is continually refreshing the session while your page is up. The back end is basically the same as the above, but this means your client must maintain an active and persistent connection to the back end (or poll on an interval that's shorter than the session expiration time) to get a new session issued each round trip. – Joe Jan 21 '22 at 18:29
  • @Joe Im thinking maybe express-session is not the way to go. Just out of curiosity, what would you say is the best way to implement these kind of features we're talking about using node? I mean, since it isn't impossible to do (Netflix, for instance, never logged me out, UNLESS i spent a long time without accesing it), what type of persistance mechanism besides sessions could be used? Thanks. – Eulavo Jan 21 '22 at 18:54
  • I don’t think express session is the problem. I think what you have to solve is what interaction from your browser app to the server happens to keep the session alive while otherwise idle? – Joe Jan 22 '22 at 12:55

0 Answers0