Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

touch does not update session.cookie.expires

See original GitHub issue

When resave: false and rolling: true then the store will update the top-level expires in the session database on each request. express-session will also update the cookie and send it with every response.

The problem is that the stored document at the path session.cookie.expires does not get updated, so it is out-of-sync with both the top level expires as well as the expires in the cookie.

Since the touch() implementation already sends a call to the database to update the top-level expires should it not also update session.cookie.expires ?

This is the configuration of express-session:

  const store = new MongoStore({
    mongooseConnection: db,
    stringify: false,
  });

    session({
      secret: 'some_secret',
      resave: false,
      rolling: true,
      saveUninitialized: false,
      cookie: {
        maxAge: 60000,
        secure: true,
        httpOnly: true,
      },
      store,
    })

The actual document saved to the store looks something like this:

{
  "_id": "f2yQHE_BPi6UKV4pMuM7xluGPwQIhxIU",
  "expires": {
    "$date": "2020-02-03T15:23:54.646Z"
  },
  "session": {
    "cookie": {
      "originalMaxAge": 3599997,
      "expires": {
        "$date": "2020-02-03T15:04:06.890Z"
      },
      "secure": false,
      "httpOnly": true,
      "domain": null,
      "path": "/",
      "sameSite": null
    },
    "passport": {
      "user": "someUser"
    }
  }
}

Issue Analytics

State:
Created 4 years ago
Reactions:4
Comments:33 (8 by maintainers)

Top GitHub Comments

2reactions

YCcommented, Aug 3, 2021

Current Behavior

resave	rolling	expires	session.expires
false	false	y	n
false	true	y	n
true	false	y	y
true	true	y	y

Expected Behavior (my opinion)

I performed a quick search on expires. It seems like to me that it (the top level expires) is used to perform faster queries and should reflect the value in the cookie.

resave	rolling	expires	session.expires	Justification
false	false	n	n	If session is not modified and resave is false, then db should be unchanged.
false	true	y	y	“With [rolling] enabled, the session identifier cookie will expire in maxAge since the last response was sent instead of in maxAge since the session was last modified by the server.” Expiration always rolling. (See discussion in issue linked above)
true	false	n	n	`resave` forces the session to be saved back to the session store. No mention of `expires`
true	true	y	y	“With [rolling] enabled, the session identifier cookie will expire in maxAge since the last response was sent instead of in maxAge since the session was last modified by the server.”