cookie sessions do not remember expiry settings #455

Closed
defunctzombie opened this Issue Jan 12, 2012 · 10 comments

Comments

Projects
None yet
4 participants
Contributor

defunctzombie commented Jan 12, 2012

Cookie sessions always use the default options passed to the cookieSession creation function. Thus, if you change the expire time for a session cookie in a route, it is overwritten the next time the cookie session middleware runs.

This is because the cookie session middleware keeps creating a new cookie object and doesn't remember the changed settings.

Thoughts on working around this? The use case is longer expire times for logged in users versus non logged in users.

Member

tj commented Jan 12, 2012

definitely a bug

Member

tj commented Jan 12, 2012

thanks for the report

Contributor

defunctzombie commented Jan 12, 2012

One way I am currently getting around it is to roll my own cookie session middleware which looks for certain fields in the session object and tweaks the max age before setting the cookie response headers. Don't really see another way around it without serializing some of the cookie state into the session (which I am avoiding for size reasons for now).

Member

tj commented Jan 12, 2012

yeah we kinda have to, this is what I did for session(), the .cookie prop just tags along, I can't think of another reasonable way off hand

Contributor

defunctzombie commented Jan 12, 2012

One way I do cut down on cookie size is to just aes encrypt the cookie data (json string) without any hmac signature. This also protects the session data from being seen by the end user.

Member

tj commented Jan 12, 2012

not like we have a ton of data to store, just a couple flags and the one number

ragulka commented Mar 20, 2013

@shtylman - how do you change the cookie expires time in a route? Can you share your current workaround?

Contributor

defunctzombie commented Mar 20, 2013

@ragulka I do not currently use the builtin cookie session middleware and instead use yummy

ragulka commented Mar 20, 2013

@shtylman thanks for the tip! Looks good!

Contributor

jonathanong commented Nov 18, 2013

Edge case IMO. Most people won't run into this issue. I'd rather push users to more advanced cookie session middleware.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment