konteck / express-sessions Goto Github PK

Mongo session expiry uses a TTL index. The index is created by this code in index.js:

var schema = new mongoose.Schema({
    sid: { type: String, required: true, unique: true },
    data: { type: {} },
    lastAccess: { 
        type: Date, 
        index: { 
            expires: parseInt(options.expire) * 1000
        } 
    },
    expires: { type: Date, index: true }
});

The issue here is that expires is set to options.expire*1000, as if expecting to receive a value in seconds and convert it to milliseconds. However, if we look at the index that gets created:

{
"v" : 1,
"name" : "lastAccess_1",
"key" : {
    "lastAccess" : 1
},
"ns" : "mayqat.sessions",
"expireAfterSeconds" : 60000,
"background" : true,
"safe" : null
}

Notice that mongodb actually calls the value "expireAfterSeconds".

Easy fix: don't multiply by 1000 :)

I have forked and fixed, and could provide a pull request, though i've changed one other thing also (for issue 3).

Hi,

Thanks for express-sessions - nice lib, and the only one I found that really works ;)

I hit a problem when using express 3.4.5 (may also affect other 3.x.y versions), which seems to be because of a version clash with express-sessions dependency on 2.x.y.

To see the problem:
(1) Create a new express project with 3.x.y, using "express myapp".
(2) Add the following middleware to app.js:

var inc = 0;
app.use(function(req,res,next){
  res.locals["" + inc] = inc++;
  console.log(res.locals);
  next();
});

(3) start the app and hit the app a few times with curl or a browser - you'll see that the same res.locals is re-used and just grows forever. This also means that any private information you might put in res.locals is available to the next request!

{ '0': 0, '1': 1, '2': 2, ... }

Without express-sessions res.locals is a new object on each request and you only see the latest value of inc, e.g.:

{ '3': 3 }

Just changing the dependency version to 3.4.5 fixes the problem for me.

Hello and thanks for your wonderful package that make life a bit easier!
My request is to implement an event handler when you want to delete the session ( before deleting). I understand that apparently destroy session fires based on maxAge but it is not always the case. For example if user delete the SID id in his browser , then a new session key will be created and the previous session will be destroyed without any notification.

Thanks

Hi,

Do you have any plan to add support for password protected databases?

I unfortunately don't have a simple test case to recreate for this. In my application, req.session.destroy() was not removing the session data from the database (effectively disabling the "sign out" functionality).

I found it have something to do with the callback being passed to remove. Changing the code to pass a valid, but noop callback fixed the issue.

    destroy: function (sid, cb) {
        MongoStore.client.remove({ sid: sid }, cb || function(){});
    },

The associated versions of modules I'm using are:

• [email protected]
• [email protected]
• [email protected]

By the way, thanks for sharing this module!