5

I have got a maximum session time setup using the following code (with Express.js & Passport.js).

  app.use(express.session({
    cookie: {
      maxAge : 3600000
    }
  }));

I would like to run a function if a session expires (for my log file and analytics). Something along the lines of this:

app.use(express.session.onExpiry(function(user){
        console.log('User session for ' + user + ' has expired.')
    });
);
madhead
  • 31,729
  • 16
  • 153
  • 201
Paul
  • 1,190
  • 3
  • 12
  • 24
  • 1
    While not directly addressing this specific issue, [my answer to this question](http://stackoverflow.com/questions/22262057/node-express-connect-session-management/22842008#22842008) might be helpful to you. One of the things you will notice from reading it is that there really isn't a session in express to keep track of or to expire. If you use Redis as your session store, [this Q&A](http://stackoverflow.com/questions/11810020/how-to-handle-session-expire-basing-redis) should be if interest. – barry-johnson Apr 08 '14 at 01:23
  • @barry-johnson Thanks for the comment. That's quite insightful info. I was already afraid that I would have to keep my own records of the user sessions. If I do I'll probably just use a simple js object (*instead of redis*) as I am not too concerned about stateless at this point. – Paul Apr 08 '14 at 01:37
  • 1
    You're welcome. Yes, if you make your own or extend MemoryStore you could add this fairly easily to your sweep & expire/remove process. If you're not dealing with scalability needs this will work OK but you will lose session persistence with node restarts (which may happen more often than you expect). You could also still use redis, but on your server just maintain a sort of parallel data structure (stick it in a piece of middleware) of just session keys and the last-touched timestamp and operate on that for your logging & analytics. – barry-johnson Apr 08 '14 at 02:35
  • What version of express are you using? – Farid Nouri Neshat Apr 19 '14 at 14:46
  • Version 3.x for express and latest for passport. I am happy to upgrade express if that helps. – Paul Apr 28 '14 at 06:39
  • This is making me wanna switch to rails :( – Paul Nov 12 '14 at 09:55

1 Answers1

1

What you're doing is setting a cookie "expires" parameter. Browser will clear the cookie up once it expires and you won't know about it — it simply will not arrive along with one of future requests.

Trick you can use to acutaly know if cookie is expired is to write a timestamp into a cookie and set its lifetime ("expires" value) to some faraway time (say, year 2037). This way you can manually check if you still want to treat a given cookie as valid or if you want to renew it.

Sadly, you'd have to write your own code along the lines of

app.use(function(req, res, next) {
    //Checking previously set cookie (if there is one)
    var session = JSON.parse(req.cookies['session'] || '');
    if (session && new Date(session.expires) < new Date()) {
        console.log('User session has expired.')
    }

    //Resetting the cookie
    res.cookie('session', JSON.stringify({ session: <sessionIDKeyHere>, expires: Date.now() + 3600000 }), {
        expires: new Date(2037, 0, 1),
        httpOnly: true,
        secure: true //Do you have https? If no, set to false
    });

    next();
});
Arseny Smoogly
  • 600
  • 2
  • 7
  • Forgot to add: This won't track session expiry immediately, only upon the next request. So if I hit your page and never return, you would not find out about it this way. But you still can log me and track if I have ever returned. – Arseny Smoogly Nov 17 '14 at 23:23