touch method implementation does not satisfy express-session logical contract #412
Comments
|
I haven't thought about this is a while 🤣 Is part of the issue that express-session isn't notifying the store to invalidate the session? |
|
@wavded as I understand the intention of rolling, it's to allow requests to be used as a way to detect session activity and extend the effective expiry, where maxAge becomes a max idle time. So I think the issue issue is that the store is extending the redis entry, but not in a way that express-session cares about, and so the session is prematurely invalidated (making the redis entry orphaned in a sense). Now all of that said, since digging into this, I've determined that I actually want the extension mechanism to regenerate a session ID, so I've switched to |
|
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
This issue was closed because it has been stalled for 5 days with no activity. |
I have read #289 (and #285 , @wavded ), and while 285 may have satisfied express-session 's logical requirements for
touchat the time, it does not at this time. Therollingconfiguration option provided byexpress-sessionis effectively broken when using connect-redis, because while the redis entry TTL is updated, and the cookie expiry is updated in the browser, express-session invalidates the session once the originalmaxAgeis exceeded. This logical breakage negates any performance benefit that was provided by 285, as the touch method implementation is not allowingrolling: trueto do what it is supposed to do; instead, session data lingers in redis well after that session has been abandoned, and users' sessions are not extended.The text was updated successfully, but these errors were encountered: