Search code examples
node.jsexpresssession-cookiesnode.js-connect

Set individual maxAge for sessions when using cookieSession() in Connect/Express

I am trying to use Connect/Express cookieSession() in order to store my node.js sessions in cookies (and thus, avoiding a server-side session store). This would help me to 'remember' the user when they log in and keep sessions alive even after server restarts.

I would like to do this with cookieSession():

app.use( express.cookieSession( { secret: 'secret_key' } ) );
app.use( function (req, res, next) {
    if ( req.method == 'POST' && req.url == '/login' ) {
      if ( req.body.remember ) {
        req.session.cookie.maxAge = 30*24*60*60*1000; // Rememeber 'me' for 30 days
      } else {
        req.session.cookie.expires = false;
      }
    }
    next();
});

However, this does not work, because req.session.cookie is undefined. I also tried the following, but it didn't seem to work:

app.use( express.session( { secret: 'secret_key' } ) );
app.use( function (req, res, next) {
    if ( req.method == 'POST' && req.url == '/login' ) {
      if ( req.body.remember ) {
        req.cookies['connect.sess'].maxAge = 30*24*60*60*1000; // Rememeber 'me' for 30 days
      } else {
        rreq.cookies['connect.sess'].expires = false;
      }
    }
    next();
});
Solution

  • Starting out with

    app.use(express.cookieSession({ secret: config.server.cookieSecret }));

    And changing it to

    app.use(function(req, res, next) {
  express.cookieSession({
    secret: config.server.cookieSecret,
    cookie: {
      maxAge: req.param('remember') ? 20000 : 3000
    },
  })(req, res, next);
})

    So, we create our own middleware, wrapped around the cookieSession middleware, changing the maxAge based on a param.

    So, whenever you change the session you'll need to pass a remember in the body, query, or params( that's where req.param() looks ). In most cases, you only set a user_id to the session once, at login.

    It's 3 seconds or 20 seconds to test and ensure it works.

    And again, it might be not very helpful if you're setting stuff to your session a lot, but if you just set a user_id to session at login, this is all you need.

    If you are setting lots of stuff to your session, you should know that data get passed around at every request, and you should save only the minimum to the session, like user_id, then look up the data you need for each request, to keep the overhead down on the user.