-
Notifications
You must be signed in to change notification settings - Fork 974
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable touch on certain paths #287
Comments
Hi! No, this is not a bug, as this module will touch a session any time that session is loaded by design. Whenever a request goes through this middleware, it will load the session. For your question of excluding for certain paths, you simply don't execute this middleware on those paths. How to do this is the same as you would for any middleware. Possible ways using Express:
|
Hi, thanks for your answer. But if the case is that I want the session to be picked up in that path. But don't want the session touched? The path is only accessible if the user is logged in. |
@EmmEm , I hope you're doing well. Did you ever figure out this requirement? I'd like to disable session.touch() as well for a logged in user so their session expires a certain time limit after logging in. |
@sowmitranalla I'd like the same thing. |
@sowmitranalla @josh-renton did you get anywhere with this in the end? When using a store like DynamoDB, I am seeing a read and a write for every single request, which can get quite expensive, quite quickly. Disabling session.touch() for different scenarios would be ideal. |
Off the top of my head, and I'm far from an expert, but it sounds quite
weird you're always hitting the database.
Have you thought about in memory caching if you really need the data, or
re-writing to avoid it if you don't?
Clearly your'e doing it for a reason, but just a thought.
…On Mon, 26 Nov 2018, 18:16 Sam Danbury ***@***.*** wrote:
@sowmitranalla <https://github.com/sowmitranalla> @josh-renton
<https://github.com/josh-renton> did you get anywhere with this in the
end?
When using a store like DynamoDB, I am seeing a read and a write for every
single request, which can get quite expensive, quite quickly.
Disabling session.touch() for different scenarios would be ideal.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#287 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AIWlcBH_L5Da4bGdMyPiS3BraGDIcD4cks5uy7-BgaJpZM4HwzeH>
.
|
I don't need to hit the database on every request, I really don't want it to. However, by default, this is what the connect-dynamodb store does through the session.touch() method that a lot of the stores implement. From what I have worked out, the express-session library calls the touch method on every request that uses the library as middleware. This in turn pushes the onus on the session stores to decide what they will do when touch is called, and in most cases, the store does a lookup and subsequent write. In the connect-dynamodb case, for example, it does a write to update the "expires" attribute of the session in question, which means that every request using the express-session middleware will do a write to dynamodb. So TLDR; if you want to turn off the "touch on every request" functionality, then use a connect-* library that has a flag to turn it off, or write your own to turn it off. |
This express issue and related PR may help: #557 maxDurationThe maximum amount of time that a session can stay open even if there are continuous app.use(session({
maxDuration: 28800, // duration in seconds (this would be 8 hours)
secret: 'keyboard cat'
})) |
Was this ever resolved? Running into this same issue using couchDb store. All of my static paths are secured but I don't want them to call the touch method. |
I think a // session.js
const client = Redis.Cluster(...);
const store = new RedisStore({ client });
const config = { rolling: true, store, ... };
export const session = {
active: expressSession(config),
inactive: expressSession(Object.assign({}, config, { rolling: false }))
};
// app.js
import { session } from './session.js';
app.use((req, res, next) => {
if (req.path === '/ping') session.inactive(req, res, next);
else session.active(req, res, next);
}); |
Hi,
I have some paths that are pinged by the user with a certain interval, I don't want to reset the session TTL when those paths are called. The paths dosen't manipulate the session in any way, but still the touch function is used.
Am i missing something or is this a bug?
When checking out the code in index.js it seems like it will always do a save/touch if cookieId and sessionId match.
The text was updated successfully, but these errors were encountered: