Hard Session Timeout
See original GitHub issueAs far as I understand, the ttl
is a session inactivity timeout. So, if a user is not actively using a session, it will expire after the specified duration. From a security perspective, we want to keep this as low as possible (less than an hour). However, if a user’s session can be stolen, the attacker can repeatedly extend the session’s life by sending requests on a regular basis (e.g. every few minutes). To prevent a session from being extended indefinitely one has to set a hard session timeout which will expire sessions even though they are actively used and set this to a reasonable amount of time (a company can expect the user to login once or twice a day, so a hard session timeout of 4-12 hours is reasonable).
I studied the documentation and it seems like a hard session timeout is not implemented… yet. And I think I have to implement this on my own (e.g. store the login time in the session and compare this on every request against the maximum duration).
So this raises the following questions:
- Is my understanding of
ttl
correct? - Is a hard session timeout really not implemented?
- Would it make sense to implement this in this module?
For anyone looking for an implementation of a hard session timeout. This is how I solved it:
router.use(passport.initialize());
router.use(passport.session());
router.use((req, res, next) => {
if (req.user && !req.session.hardExpiration) {
req.session.hardExpiration = moment().add(12, 'hours').toDate();
} else if (moment().isAfter(req.session.hardExpiration)) {
req.logout();
}
next();
});
Issue Analytics
- State:
- Created 3 years ago
- Comments:7
Top GitHub Comments
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.