Comments (15)
closing this case as older, please reopen if you want to discuss more
from connect-redis.
@wavded I'd like to discuss this more. There are some use cases where you wouldn't want someone to be logged out after some fixed amount of time. If you use connect-redis for an api that is being used by an app. You usually don't want that someone has to log in again after not using your app for a while.
from connect-redis.
@despairblue this should be able to be handled in the express-session
cookie options, we pull that value to set the TTY
and if a cookie is going to expire then, doesn't seem to make sense to keep the session object around.
https://github.com/expressjs/session#cookiemaxage
from connect-redis.
Setting maxAge
does put the redis TTL and the cookie's expiration date in sync:
127.0.0.1:6379> get sess:8RSdkTNnCARsocU0KuUVC9wUvAAytVnW
"{\"cookie\":{\"originalMaxAge\":60000,\"expires\":\"2014-10-24T17:27:41.279Z\",\"secure\":true,\"httpOnly\":true,\"path\":\"/\"},\"passport\":{}}"
127.0.0.1:6379> ttl sess:8RSdkTNnCARsocU0KuUVC9wUvAAytVnW
(integer) 55
But by default the cookies from express-session don't have maxAge nor an expiration date set:
127.0.0.1:6379> get sess:gUlG3DAtQyb6Rk5gLVElG23tHPFBAFA_
"{\"cookie\":{\"originalMaxAge\":null,\"expires\":null,\"secure\":true,\"httpOnly\":true,\"path\":\"/\"},\"passport\":{}}"
127.0.0.1:6379> ttl sess:gUlG3DAtQyb6Rk5gLVElG23tHPFBAFA_
(integer) 86381
This leads to the cookie being still valid on the client side but already removed from redis. Maybe this has been fixed in later versions, but I'm still using 1.5.
So if it has been fixed in 2, let me know, I'll try to back port the fix myself.
from connect-redis.
Right, but a null expiry is just a browser session which expires on browser close so we don't really know how long it's going to be open (in that case its defaulted to one day as a "sensible" default (which is arguable)). If no session exists in redis, express-session
should setup a new one. Or am I missing something?
from connect-redis.
Well, it will generate a new one, yes, but the examples above are from a user that hasn't logged in. If he logs in, the passport
property will contain the ID to the user object in our database. So if the user does not use the app for a day he will be logged out and has to log in again. Which is ok for a website, but not for a mobile app (that's what we use it for).
from connect-redis.
@despairblue hmm... i'm not comfortable completely eliminating a TTL, that has been the default behavior for a long time, there isn't any acceptable workarounds (e.g. req.session.regenerate
or setting a far future cookie expiry)?
from connect-redis.
How about not changing the default behavior? :)
Let's say, setting ttl = -1
would just not set the ttl instead of throwing a redis exception?
from connect-redis.
I'm game with that. So if ttl
is set to -1
then we'll use a SET
command instead. Care to start a PR?
from connect-redis.
Will do, but don't expect it before Monday :)
from connect-redis.
On second thought, I kinda loath 'magic' values, let's just add a new boolean option disableTTL
so it's clearer. Thanks for working on that.
from connect-redis.
Ok. What should be the behavior if both are supplied?
from connect-redis.
disableTTL
trumps if they specify a ttl
from connect-redis.
from connect-redis.
Fixed in 1a2f708
from connect-redis.
Related Issues (20)
- Issue with connect-redis and redis compatibility HOT 3
- RedisStore lacks construct signature with typescript HOT 6
- Unable to upgrade [email protected] to [email protected] [typescript] HOT 12
- Use with fastify HOT 6
- TypeError: require(...) is not a function
- 'new' expression, whose target lacks a construct signature, implicitly has an 'any' type. HOT 1
- TypeError: Invalid argument type HOT 2
- connectRedis is not a function HOT 1
- What does the secret parameter actually do? HOT 1
- Issue with express-session HOT 1
- Support passing in `Store` class HOT 4
- Add more functions to normalized client? HOT 2
- Express Application Freeze HOT 5
- Export default build issue HOT 2
- Create a Security Policy HOT 2
- Client uses `ioredis` syntax when using `createCluster` from node-redis HOT 1
- `RedisStore` not working on TypeScript HOT 1
- Pub/Sub silently breaks the store HOT 1
- Connect-redis 7.0.0 and Redis 4.6.11 throwing "store.on is not a function" in Node v.16 HOT 10
- Type 'RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>' is not assignable to type 'Type<any> | DynamicModule | Promise<DynamicModule> | ForwardReference<any>'. HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from connect-redis.