I unfortunately don't have a simple test case to recreate for this. In my application, req.session.destroy() was not removing the session data from the database (effectively disabling the "sign out" functionality).

I found it have something to do with the callback being passed to remove. Changing the code to pass a valid, but noop callback fixed the issue.

    destroy: function (sid, cb) {
        MongoStore.client.remove({ sid: sid }, cb || function(){});
    },

The associated versions of modules I'm using are:

• [email protected]
• [email protected]
• [email protected]

By the way, thanks for sharing this module!

Hi,

Thanks for express-sessions - nice lib, and the only one I found that really works ;)

I hit a problem when using express 3.4.5 (may also affect other 3.x.y versions), which seems to be because of a version clash with express-sessions dependency on 2.x.y.

To see the problem:
(1) Create a new express project with 3.x.y, using "express myapp".
(2) Add the following middleware to app.js:

var inc = 0;
app.use(function(req,res,next){
  res.locals["" + inc] = inc++;
  console.log(res.locals);
  next();
});

(3) start the app and hit the app a few times with curl or a browser - you'll see that the same res.locals is re-used and just grows forever. This also means that any private information you might put in res.locals is available to the next request!

{ '0': 0, '1': 1, '2': 2, ... }

Without express-sessions res.locals is a new object on each request and you only see the latest value of inc, e.g.:

{ '3': 3 }

Just changing the dependency version to 3.4.5 fixes the problem for me.

Mongo session expiry uses a TTL index. The index is created by this code in index.js:

var schema = new mongoose.Schema({
    sid: { type: String, required: true, unique: true },
    data: { type: {} },
    lastAccess: { 
        type: Date, 
        index: { 
            expires: parseInt(options.expire) * 1000
        } 
    },
    expires: { type: Date, index: true }
});

The issue here is that expires is set to options.expire*1000, as if expecting to receive a value in seconds and convert it to milliseconds. However, if we look at the index that gets created:

{
"v" : 1,
"name" : "lastAccess_1",
"key" : {
    "lastAccess" : 1
},
"ns" : "mayqat.sessions",
"expireAfterSeconds" : 60000,
"background" : true,
"safe" : null
}

Notice that mongodb actually calls the value "expireAfterSeconds".

Easy fix: don't multiply by 1000 :)

I have forked and fixed, and could provide a pull request, though i've changed one other thing also (for issue 3).

Hi,

Do you have any plan to add support for password protected databases?

Hello and thanks for your wonderful package that make life a bit easier!
My request is to implement an event handler when you want to delete the session ( before deleting). I understand that apparently destroy session fires based on maxAge but it is not always the case. For example if user delete the SID id in his browser , then a new session key will be created and the previous session will be destroyed without any notification.

Thanks