How to change session expiration?
4,390 views
Skip to first unread message
Matthew Browne
Jun 15, 2014, 9:27:30 PM6/15/14
to der...@googlegroups.com
Hi,
I noticed that by default, sessions in Derby stick around after a browser restart...from looking in the "sessions" collection in the DB it appears that the default expiration time is 2 weeks. Does anyone know how to change this so that by default, sessions are deleted when the browser exists? Or to change it to 24 hours instead of 2 weeks?
I Googled about how Express sessions work and saw mentions of changing the "maxAge" and/or "expires" options (I think "expires" is for newer versions of Express) but when I tried to change it in the use(express.session(...)) configuration it seemed to have no effect.
Thanks,
Matt
I noticed that by default, sessions in Derby stick around after a browser restart...from looking in the "sessions" collection in the DB it appears that the default expiration time is 2 weeks. Does anyone know how to change this so that by default, sessions are deleted when the browser exists? Or to change it to 24 hours instead of 2 weeks?
I Googled about how Express sessions work and saw mentions of changing the "maxAge" and/or "expires" options (I think "expires" is for newer versions of Express) but when I tried to change it in the use(express.session(...)) configuration it seemed to have no effect.
Thanks,
Matt
Matthew Browne
Jun 17, 2014, 11:53:38 AM6/17/14
to der...@googlegroups.com
I figured out what was going on, but I'm still not sure what is the best solution to this...
It turns out that if Chrome is set to "Continue where you left off" on startup (or the equivalent option in Firefox), the cookie does not actually expire when the browser exits, which is supposed to be the default behavior if the cookie expiration is set to null (which is the Connect default). Unfortunately I believe that "Continue where you left off" is the default startup option on Chrome for Mac but at least it's not the default elsewhere. This is obviously a security concern because it means that session cookies can hang around for much longer than intended; I found this StackOverflow thread about it:
http://stackoverflow.com/questions/10617954/chrome-doesnt-delete-session-cookies
Unfortunately that thread doesn't offer much of a solution (and it doesn't seem that the browser behavior is likely to change either)...
Does anyone know if it's possible to set the cookie to expire when the browser session ends by default, but to also have a mandatory expiration date in case the user has "Continue where you left off" enabled? I'm concerned that for those users (especially Chrome for Mac users), they'll stay logged in forever unless they log out or deliberately delete their cookies...
For now I just left it as the default, which is equivalent to:
.use(express.session({
...
cookie: {maxAge: null}
})
...so that at least for users who don't have "Continue where you left off" enabled, the cookie will get deleted when the browser exits.
It turns out that if Chrome is set to "Continue where you left off" on startup (or the equivalent option in Firefox), the cookie does not actually expire when the browser exits, which is supposed to be the default behavior if the cookie expiration is set to null (which is the Connect default). Unfortunately I believe that "Continue where you left off" is the default startup option on Chrome for Mac but at least it's not the default elsewhere. This is obviously a security concern because it means that session cookies can hang around for much longer than intended; I found this StackOverflow thread about it:
http://stackoverflow.com/questions/10617954/chrome-doesnt-delete-session-cookies
Unfortunately that thread doesn't offer much of a solution (and it doesn't seem that the browser behavior is likely to change either)...
Does anyone know if it's possible to set the cookie to expire when the browser session ends by default, but to also have a mandatory expiration date in case the user has "Continue where you left off" enabled? I'm concerned that for those users (especially Chrome for Mac users), they'll stay logged in forever unless they log out or deliberately delete their cookies...
For now I just left it as the default, which is equivalent to:
.use(express.session({
...
cookie: {maxAge: null}
})
...so that at least for users who don't have "Continue where you left off" enabled, the cookie will get deleted when the browser exits.
Joseph Gentle
Jun 17, 2014, 2:03:33 PM6/17/14
to derbyjs
You might be better off asking the express mailing list, or posting to stack overflow. There is nothing derby-specific about how browsers manage cookies, or how the session manager sends them out.
-J
--
You received this message because you are subscribed to the Google Groups "Derby" group.
To unsubscribe from this group and stop receiving emails from it, send an email to derbyjs+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Matthew Browne
Jun 17, 2014, 2:14:30 PM6/17/14
to der...@googlegroups.com
That's true...at first I wasn't sure if something Derby-specific was
going on. I mainly just wanted to follow up on my original post in
case this info is helpful to others (but of course I was also
curious to hear if anyone here knew of a better solution).
Thanks
Thanks
You received this message because you are subscribed to a topic in the Google Groups "Derby" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/derbyjs/E67seYwFOdI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to derbyjs+u...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages