session: Cookie expiration date not being set correctly

I originally opened this issue in the connect-redis repo (https://github.com/tj/connect-redis/issues/292), and it was suggested the issue be raised upstream to express-session.

When rolling and resave are set to false, and when the session is modified, the Expires date on the Set-Cookie header is set to the current date + maxAge, which causes the age of the session cookie to live beyond the life of the original session (as determined by maxAge).

In other words, when rolling is disabled, the life of the cookie is being extended by maxAge each time the session data changes. The expected behavior (I believe) is that, even when the session data is modified, the session length should never exceed maxAge from the time the session was first created.

This is causing connect-redis to break because the cookie set by express-session is living beyond the length of the maxAge of the original session.

This is happening with the latest version of express-session and connect-redis, Node 10.16.0. Please see https://github.com/tj/connect-redis/issues/292 for a information / discussion of the issue. Sample code showing our configuration when the issue happens:

const session = require('express-session');
const RedisStore = require('connect-redis')(session);
const redis = require('redis');
const redisClient = redis.createClient(...);
const store = new RedisStore({ client: redisClient });

app.use(
  session({
      secret: 'secret here',
      store: store,
      resave: false,
      rolling: false,
      saveUninitialized: false,
      proxy: true,
      name: 'xyz',
      cookie: {
        maxAge: 1000 * 60 * 60 * 24 * 14,
        path: '/',
        secure: true,
        httpOnly: true,
      },
    });
);

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 19 (10 by maintainers)

Most upvoted comments

The issue began when upgrading connect-redis from 3.4.2 to 4.0.3.

The issue starts to happen when modifying the session maxAge after the initial session was created. connect-redis attempts to save the modified session and (I’m guessing) calculates the TTL of the redis record as “currentTime - sessionCreationDate” which results in a negative TTL. Since TTL should always be positive, Redis throws ERR invalid expire time in set.

One thing I found particularly strange is that console.log(req.session.cookie._expires) will print the date the session was first created (for example, December 14th), but in the Set-Cookie header the actual Expires date is the current time the response was served (for example, December 16th). Not sure if it’s expected that req.session.cookie._expires does not match the Expires date in Set-Cookie.

+1
paton on Dec 16, 2019
Read more comments on GitHub
← session: Can't set manual sessionID
session: Cookie should expire immediately when session is destroyed →