ExpressJS session cookie is not updated

Question

I am trying out express.session() middleware. The usage seems to be fairly simple and I quickly implemented what I wanted. Basically I implemented authentication based on session cookies. As a part of this function I implemented checkbox "remember me" which is pretty much a standard for login windows on the web. Here appears to be a problem.

I want the following functionality - when user opens/reloads the page if there is valid session cookie and it matches existing session object on server application, then session.cookie.maxAge on server and cookie expiration on client are reset to the new value (which is now() + x). Therefore making page work like - if user did not come back for e.g. 3 days then he is automatically logged out, but if he comes back within 3 days, then he is logged in and auto-logout counter is reset back to 3 days.

I expected that session.touch() would do it, but it only seems to reset session expiration date on server and doesn't push new cookie to client.

My question - did I miss something or it was intentional implementation?

PS: I could regenerate session each time and that would update cookie. But I concern for overhead of running this code on every request I also could manually push updated cookie, but would prefer to do it within express.session() functionality.

I also found this question which was never answered (except for OP himself): Updating cookie session in express not registering with browser

score 3 · Answer 1 · answered Sep 05 '17 at 12:44

3

For now Express-session should update cookies in browser, in code .
rolling: true in config provide your desirable functionality. It automatically performs touch on every request. Docs

answered Sep 05 '17 at 12:44

ada

666
6
11

This was working for me – Efros Ionelu Aug 11 '23 at 11:18

score 2 · Accepted Answer · answered Jul 10 '14 at 16:14

2

"cookie.maxAge" is updated automatically by connect.session touch(), but only on server side.

The updating of maxAge on client side has to be done manually with res.cookie.

Eg.:

res.cookie(
    'connect.sid', 
    req.cookies["connect.sid"], 
    {
        maxAge: req.session.cookie.maxAge,
        path: '/', 
        httpOnly: true
    }
);

answered Jul 10 '14 at 16:14

Chris

36
2

That's what I did after all. However this doesn't seem much logical to me. Simply because creating new session creates session cookie on client, but updating (via touch) does not change cookie on client. – Alexey Kamenskiy Jul 11 '14 at 05:22
BTW, since this is the only answer to this question, i think I will accept it then. Though I already found similar solution. – Alexey Kamenskiy Jul 11 '14 at 05:23
it's the same case with me but it's related to the session id....can you help @Chris – Prabhat Mishra Jul 06 '18 at 10:30

score 2 · Answer 3 · edited May 23 '17 at 10:26

2

See this answer to the StackOverflow question you linked to above:

https://stackoverflow.com/a/27609328/4258620

edited May 23 '17 at 10:26

Community

1
1

answered Dec 22 '14 at 19:46

aap

897
11
15

ExpressJS session cookie is not updated

3 Answers3