Skip to content

auth.sessions

Samuel S. Donovan edited this page Dec 10, 2022 · 15 revisions

auth.sessions is responsible for maintaining a list of sessions and information regarding them. By default, auth.sessions is set to an instance of SessionManager.

The default SessionManager only uses in-memory storage, so shutting down the server will cause all data to be lost.

As with the other managers, auth.sessions may be set to a developer-provided object, though it is necessary that the new auth.sessions has the required functions (see table below). Extra functionality may be added with no affect to express-cookie-session-auth.

Properties & Methods

☆ This method or property a requirement when providing your own implementation

Method/Property Returns/Type Description

.model


{ 
    "userID": "string",☆
    "expires": 0,      ☆     //in ms
    ...
}

Default model for .new(...).
NOTE: Internally, model will always have .userID and .expires. They will be added during new() and set() if not provided.

.purgeInterval


number
Purge interval in ms for when sessions should be iterated through and deleted if expired.

.maxAge


number
Maximum age in ms that a session can last.

.httpOnly


bool
Specifies a session cookie's HttpOnly Set-Cookie attribute

.sameSite


bool
  • true will set the SameSite attribute to Strict for strict same site enforcement.
  • false will not set the SameSite attribute.

string
  • 'lax' will set the SameSite attribute to Lax for lax same site enforcement.
  • 'none' will set the SameSite attribute to None for an explicit cross-site cookie.
  • 'strict' will set the SameSite attribute to Strict for strict same site enforcement.

Specifies the boolean or string to be the value for the SameSite Set-Cookie attribute

.secure


bool
Specifies a session cookie's Secure Set-Cookie attribute


.new(userID, 
     model=this.model,
     maxAge=this.maxAge)


string sessionID if the new session was created.

Creates a new user session.
Regardless of model, model.userID = userID and model.expires = Date.now() + maxAge.
NOTE: There is no validation of userID: adding an ID not in auth.users will still work.

.get(id)


model of the session with the provided id.

undefined if the session does not exist.

false if the session was unable to be retrieved (other).
Retrieves a session.
NOTE: This function must always return an object with an userID and expires.
Retrieves a session.

.all()


[string]
Retrieves a list of all session ids.

.set(id, model)


true if the session was successfully updated.

undefined if the session does not exist.

false if the session was unable to be updated (other).
Updates a session's model.
NOTE: While the model's expires can be updated using this method, it must be defined as a Date.
NOTE: While the model's userID can be updated using this method, it must be defined as a string.

.del(id)


true if the session was deleted.

undefined if the session was not deleted because it did not exist.

false if the session was not deleted (other).

Deletes a session.

.purge()

- Deletes all expired sessions.

.startPeriodicPurging()

- Starts periodically purging expired sessions based on .purgeInterval.
Called in constructor.

.stopPeriodicPurging()

- Stops periodically purging expired sessions

Clone this wiki locally