17

I would like to have a "Stay signed in" option such as the one provided by Gmail. This way, the user can decide if they want to keep the session open upon opening a new browser session after previously closing it.

Looking into the github issues I saw the cookie-session component doesn't provide a way to upate the maxAge property dynamilly.

I'm wondering then if there's any way at all to achieve the "Stay signed in" feature with the cookie-session component.

It seems to me a basic feature for a component which is being downloaded 80K times a month.

Alvaro
  • 40,778
  • 30
  • 164
  • 336
  • 1
    Does this not provide what you're looking for: https://www.npmjs.com/package/cookie-session#per-user-sticky-max-age ? – SlashmanX Jan 07 '16 at 14:06
  • @SlashmanX not really. `req.body` doesn't seem to be accessible in the middelware so how can I base it on the `Stay signed in` checkbox? – Alvaro Jan 07 '16 at 14:47
  • 1
    Might not the be the best way for doing it, but could you get the cookie and alter the expiration for each request (if they have stay signed in enabled)? – Ash Jan 07 '16 at 20:09

2 Answers2

2
// This allows you to set req.session.maxAge to let certain sessions 
// have a different value than the default. 
app.use(function (req, res, next) {
  // here you can see whether they checked the checkbox or not, and change maxAge.
  // the default should be that it expires when the browser is closed
  req.sessionOptions.maxAge = req.session.maxAge || req.sessionOptions.maxAge

  // or you can try to set expires to 1 day from now:
  req.sessionOptions.expires = new Date(Date.now()+86400000)
  // or at the end of the session:
  req.sessionOptions.expires = 0
})
Gavriel
  • 18,880
  • 12
  • 68
  • 105
  • Nop, that's just taken from the docs and it doesn't provide a solution for the problem. – Alvaro Jan 20 '16 at 11:03
  • Also, as I said `req.body` doesn't seem to be accessible in the middelware . – Alvaro Jan 20 '16 at 15:23
  • Please decide: EITHER it's from the docs and then it indicates that req is available and so it is a solution OR it is not from the docs – Gavriel Jan 20 '16 at 15:28
  • I can not test it right now, but in any case, setting `maxAge` won't at any time force the deletion of the cookie at the end of the browser session. [Check this](https://github.com/expressjs/cookie-session/issues/51). – Alvaro Jan 20 '16 at 18:04
  • Hmm, that may be right. I added 2 more lines for setting the expires. Of course you would need either the 1st one to set it for 1 day (or you can add whatever you want) for someone who checked the checkbox, or the 0 for those who want it to expire at the end of the session – Gavriel Jan 20 '16 at 18:14
1

If you are using ExpressJS, session module has an option.

https://github.com/expressjs/session

Alternatively req.session.cookie.maxAge will return the time remaining in milliseconds, which we may also re-assign a new value to adjust the .expires property appropriately. The following are essentially equivalent

Anakin
  • 3,070
  • 4
  • 21
  • 12
  • I'm not using Express session, but cookie-session. The main reason is the following: `Warning The default server-side session storage, MemoryStore, is purposely not designed for a production environment.` I'm using Windows, and It doesn't sound easy to go for another server-side storage. Too complicated for something that should be easier... – Alvaro Jan 20 '16 at 11:05
  • If you dont have any other session store (like redis), you'll use memory store anyways, in any other session module (or without module). If you are not going to make something big, you can use memorystore without problems. – Anakin Jan 20 '16 at 11:31
  • Are you saying [cookie-session](https://github.com/expressjs/cookie-session) is not designed for production environments either ? – Alvaro Jan 20 '16 at 15:25
  • Yes. It depends the size of your project and users. For example, if you are building an application for 50 people max, you can use express-session or cookie-session. But if you are targeting thousands of people, you have no luck in production, you need redis etc. – Anakin Jan 20 '16 at 15:47