Hard Session Timeout

As far as I understand, the ttl is a session inactivity timeout. So, if a user is not actively using a session, it will expire after the specified duration. From a security perspective, we want to keep this as low as possible (less than an hour). However, if a user’s session can be stolen, the attacker can repeatedly extend the session’s life by sending requests on a regular basis (e.g. every few minutes). To prevent a session from being extended indefinitely one has to set a hard session timeout which will expire sessions even though they are actively used and set this to a reasonable amount of time (a company can expect the user to login once or twice a day, so a hard session timeout of 4-12 hours is reasonable).

I studied the documentation and it seems like a hard session timeout is not implemented… yet. And I think I have to implement this on my own (e.g. store the login time in the session and compare this on every request against the maximum duration).

So this raises the following questions:

• Is my understanding of ttl correct?
• Is a hard session timeout really not implemented?
• Would it make sense to implement this in this module?

For anyone looking for an implementation of a hard session timeout. This is how I solved it:

router.use(passport.initialize());
router.use(passport.session());
router.use((req, res, next) => {
  if (req.user && !req.session.hardExpiration) {
    req.session.hardExpiration = moment().add(12, 'hours').toDate();
  } else if (moment().isAfter(req.session.hardExpiration)) {
    req.logout();
  }
  next();
});