connect-mongo: touch does not update session.cookie.expires

When resave: false and rolling: true then the store will update the top-level expires in the session database on each request. express-session will also update the cookie and send it with every response.

The problem is that the stored document at the path session.cookie.expires does not get updated, so it is out-of-sync with both the top level expires as well as the expires in the cookie.

Since the touch() implementation already sends a call to the database to update the top-level expires should it not also update session.cookie.expires ?

This is the configuration of express-session:

  const store = new MongoStore({
    mongooseConnection: db,
    stringify: false,
  });

    session({
      secret: 'some_secret',
      resave: false,
      rolling: true,
      saveUninitialized: false,
      cookie: {
        maxAge: 60000,
        secure: true,
        httpOnly: true,
      },
      store,
    })

The actual document saved to the store looks something like this:

{
  "_id": "f2yQHE_BPi6UKV4pMuM7xluGPwQIhxIU",
  "expires": {
    "$date": "2020-02-03T15:23:54.646Z"
  },
  "session": {
    "cookie": {
      "originalMaxAge": 3599997,
      "expires": {
        "$date": "2020-02-03T15:04:06.890Z"
      },
      "secure": false,
      "httpOnly": true,
      "domain": null,
      "path": "/",
      "sameSite": null
    },
    "passport": {
      "user": "someUser"
    }
  }
}

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 5
  • Comments: 34 (8 by maintainers)

Commits related to this issue

Most upvoted comments

Current Behavior

resave rolling expires session.expires
false false y n
false true y n
true false y y
true true y y

Expected Behavior (my opinion)

I performed a quick search on expires. It seems like to me that it (the top level expires) is used to perform faster queries and should reflect the value in the cookie.

resave rolling expires session.expires Justification
false false n n If session is not modified and resave is false, then db should be unchanged.
false true y y “With [rolling] enabled, the session identifier cookie will expire in maxAge since the last response was sent instead of in maxAge since the session was last modified by the server.” Expiration always rolling. (See discussion in issue linked above)
true false n n resave forces the session to be saved back to the session store. No mention of expires
true true y y “With [rolling] enabled, the session identifier cookie will expire in maxAge since the last response was sent instead of in maxAge since the session was last modified by the server.”

Reference: https://expressjs.com/en/resources/middleware/session.html

Happy to have a look at code if everyone agrees.

+2
YC on Aug 3, 2021

@YC I have just reverted it in develop branch. https://github.com/jdesboeufs/connect-mongo/commit/82e1831b80fc5982b31a14b8db7dd0490d42d3a9 I will group the bug fixes and cut a release later.

+1
mingchuno on Feb 23, 2021
Read more comments on GitHub
← connect-mongo: Error: Error setting TTL index on collection : sessions
mise: Missing tools silently fall back to system version →