Cookie sessions always use the default options passed to the cookieSession creation function. Thus, if you change the expire time for a session cookie in a route, it is overwritten the next time the cookie session middleware runs.
This is because the cookie session middleware keeps creating a new cookie object and doesn't remember the changed settings.
Thoughts on working around this? The use case is longer expire times for logged in users versus non logged in users.
definitely a bug
thanks for the report
One way I am currently getting around it is to roll my own cookie session middleware which looks for certain fields in the session object and tweaks the max age before setting the cookie response headers. Don't really see another way around it without serializing some of the cookie state into the session (which I am avoiding for size reasons for now).
yeah we kinda have to, this is what I did for session(), the .cookie prop just tags along, I can't think of another reasonable way off hand
One way I do cut down on cookie size is to just aes encrypt the cookie data (json string) without any hmac signature. This also protects the session data from being seen by the end user.
not like we have a ton of data to store, just a couple flags and the one number
@shtylman - how do you change the cookie expires time in a route? Can you share your current workaround?
@ragulka I do not currently use the builtin cookie session middleware and instead use yummy
@shtylman thanks for the tip! Looks good!
Edge case IMO. Most people won't run into this issue. I'd rather push users to more advanced cookie session middleware.