session: Cookie should expire immediately when session is destroyed

What is the state of this PR? I’d love to see a express-session version where this works, as we are experiencing quite some database requests with session IDs from expired sessions.

The hacks mentioned above do not apply for us, because sessions can expire at any point without the user hitting logout (e.g. user being locked, etc.), so an automatic cookie cleanup mechanism would be very helpful here.

Looking forward to this. Right now, I manually delete the client’s cookie on logout like this:

  const expireCookie = new expressSession.Cookie(req.session.cookie);
  expireCookie.expires = new Date(0);
  const cookies = cookie.parse(req.headers.cookie);
  res.header('set-cookie', expireCookie.serialize(appName, cookies[appName]));

appName is equal to the name option of express-session. Maybe there’s a more elegant way than going through the Cookie constructor.

I was able to create a working unit test that is setup the same as your most recent code example above, which has now been pushed into the existing PR #242.

Please review the PR as soon as you can, thanks! 💝

I’m helping out with a code-base where the Session ID (SID) has been used to tie resources in the DB. We’ve got to the point where we are now handling killing off the session, simply to generate a new SID (as we do not want any further records to be persisted with the same SID).

The caveat is that we need to maintain any logged in users (via req.session.user a la Passport.js) and doing so via the regenerate() callback, does not help as the Cookie’s SID in the browser is still the old SID.

1. calling destroy and regenerate - causes the user to be logged out, SID changes though.
2. calling regenerate - we are able to login the existing user via Passports logIn() facility, however the session SID stays the same.

Thoughts?