Disable touch on certain paths

[EmmEm]

Hi,

I have some paths that are pinged by the user with a certain interval, I don't want to reset the session TTL when those paths are called. The paths dosen't manipulate the session in any way, but still the touch function is used.

Am i missing something or is this a bug?
When checking out the code in index.js it seems like it will always do a save/touch if cookieId and sessionId match.

session(
                {
                    saveUninitialized: true,
                    unset: 'destroy',
                    resave: false, //https://www.npmjs.com/package/express-session#resave 
                    rolling: true, //https://www.npmjs.com/package/express-session#rolling 
                    proxy: true, //https://www.npmjs.com/package/express-session#proxy
                    name: "connect.sid",
                    store: new RedisStore(
                        {
                            host: config.redis.database.host,
                            port: config.redis.database.port,
                            db: config.redis.database.index,
                            pass: config.redis.database.password
                        }
                    ),
                    secret: config.session.secret,
                    cookie:
                    {
                        maxAge: config.session.ttl,
                        secure: true
                    }
                }
            )

[dougwilson]

Hi! No, this is not a bug, as this module will touch a session any time that session is loaded by design. Whenever a request goes through this middleware, it will load the session.

For your question of excluding for certain paths, you simply don't execute this middleware on those paths. How to do this is the same as you would for any middleware. Possible ways using Express:

1. Declare the routes you don't want to execute this middleware before this middleware.
2. Declare this middleware only on the routes you want to load the session, instead of globally.
3. Enclose it in another middleware that executes this one conditionally based on the path.

[EmmEm]

Hi, thanks for your answer.

But if the case is that I want the session to be picked up in that path. But don't want the session touched?

The path is only accessible if the user is logged in.

[sowmitranalla]

@EmmEm , I hope you're doing well. Did you ever figure out this requirement? I'd like to disable session.touch() as well for a logged in user so their session expires a certain time limit after logging in.

[josh-renton]

@sowmitranalla I'd like the same thing.

[sdanbury]

@sowmitranalla @josh-renton did you get anywhere with this in the end?

When using a store like DynamoDB, I am seeing a read and a write for every single request, which can get quite expensive, quite quickly.

Disabling session.touch() for different scenarios would be ideal.

[josh-renton]

Off the top of my head, and I'm far from an expert, but it sounds quite weird you're always hitting the database. Have you thought about in memory caching if you really need the data, or re-writing to avoid it if you don't? Clearly your'e doing it for a reason, but just a thought.

…

On Mon, 26 Nov 2018, 18:16 Sam Danbury ***@***.*** wrote: @sowmitranalla <https://github.com/sowmitranalla> @josh-renton <https://github.com/josh-renton> did you get anywhere with this in the end? When using a store like DynamoDB, I am seeing a read and a write for every single request, which can get quite expensive, quite quickly. Disabling session.touch() for different scenarios would be ideal. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#287 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AIWlcBH_L5Da4bGdMyPiS3BraGDIcD4cks5uy7-BgaJpZM4HwzeH> .

[sdanbury]

I don't need to hit the database on every request, I really don't want it to.

However, by default, this is what the connect-dynamodb store does through the session.touch() method that a lot of the stores implement. From what I have worked out, the express-session library calls the touch method on every request that uses the library as middleware. This in turn pushes the onus on the session stores to decide what they will do when touch is called, and in most cases, the store does a lookup and subsequent write. In the connect-dynamodb case, for example, it does a write to update the "expires" attribute of the session in question, which means that every request using the express-session middleware will do a write to dynamodb.

So TLDR; if you want to turn off the "touch on every request" functionality, then use a connect-* library that has a flag to turn it off, or write your own to turn it off.

[jfstephe]

This express issue and related PR may help: #557

maxDuration

The maximum amount of time that a session can stay open even if there are continuous
requests that keep the session alive. This is to minimize the total footprint of a session
replay attack in the case where a session identifier is stolen. This will treat the session as
expired and generate a new session. Rolling sessions do not update this behavior.

app.use(session({
 maxDuration: 28800, // duration in seconds (this would be 8 hours)
 secret: 'keyboard cat'
}))

[JoePotentier]

Was this ever resolved? Running into this same issue using couchDb store. All of my static paths are secured but I don't want them to call the touch method.

[TrevorKarjanis]

I think a session.notouch() would be preferred, but here is a middleware.

// session.js
const client = Redis.Cluster(...);
const store = new RedisStore({ client });
const config = { rolling: true, store, ... };
export const session = { 
  active: expressSession(config),
  inactive: expressSession(Object.assign({}, config, { rolling: false })) 
};

// app.js
import { session } from './session.js';

app.use((req, res, next) => {
  if (req.path === '/ping') session.inactive(req, res, next);
  else session.active(req, res, next);
});