Skip to content


Subversion checkout URL

You can clone with
Download ZIP


have option to tie concept of session with a login session #451

amudukutore opened this Issue · 6 comments

6 participants


When using the session middleware, I see that a new session cookie object is
created if:
a. the request has no session object passed in via cookie, or
b. there is no matching session-id in the session store for the
session object passed in via request cookie

It would be nice to have some support from the API such that session objects are created
(or retained) only for authenticated users. For all other requests, there should be no
session object created. I believe this can benefit applications in several ways (see below):
a. It will reduce the number of session objects that need to be retained in the session store
b. It will reduce the possibility of malicious attacks from unauthorized users trying to cause server
to run out of memory.
c. It ties in the concept of session with a login-session which is the typical session usage for several applications.

tj commented

thanks for posting it here. there are a few other session related things i;d like to fix first but then i'll come back to this


I'd just like to chime in to the suggestion.

I was surprised to notice that I had over 2500 sessions in my Redis store after some weeks of active use with a few users. Then I realized that any request (search engines, etc.) caused new sessions to be created. Increasing the session max age to more than the 10 days I've got it set to now would mean even more unnecessary session keys.

Am I doing something wrong? Any suggestions?


I'd also like to comment that because of this, the session middleware cannot be used for site that need to comply with EU guidelines, as we cannot store cookies without the user's consent first, but the very first request a user makes a session cookie gets included with the response.

tj commented

@lemonad I cant remember if i got this in recently or not (I dont think so) but we still need to perform a check that if req.session was not modified and is new, to prevent set-cookie and saving of the session. The default behaviour will still be that if req.session is modified (authenticated or not) you'll get a session


+1: I'm developing a front controller where I wish to start the session only after some logic (like user validation among others); I would be thankful to be able to start a session any time much after the server listener creation (and inside it; not before it). I've searched and researched how to do it, but it seems impossible. I hope I'm not asking for support in the wrong place.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.