Cannot update session.cookie.maxAge to a value greater than hasLongExpires checks for (4 weeks) #859
Comments
|
I confirm, I've seen this behaviour too. Anoying because my customers come back months after and loose their sessions. But a session longer than 4 weeks is a security issue. I'm in some way balanced about this question. For the moment I just try to Update the session maxAge often. But having a hardcoded value is bad, it should be possible to overwrite it via an option. |
|
I confirm. I opened up #865 and closed it after subsequently finding this issue. |
undoZen
added a commit
to undoZen/connect
that referenced
this issue
Dec 11, 2013
It's not only not needed, but also cause problems. senchalabs#859
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
hasLongExpires is currently checking against a hard coded 4 weeks.
I am finding that the check if(!isNew && cookie.hasLongExpires) in session.js fails when trying to update the maxAge to a value greater than 4 weeks as the comparison looks at the new value of maxAge when evaluating hasLongExpires and then skips the cookie update.
I have traced this through the debugger several times and verified that setting req.session.cookie.maxAge of < 4 weeks properly updates the cookie from a session to an expiring cookie but setting it greater than 4 weeks causes no update to the browser cookie.
The text was updated successfully, but these errors were encountered: