0

Is it possible to set cookies to never expire for express-session? If not is there a maximum maxAge?

I found some documentation on how to set the cookie expiration here on SO ( 10+ years old ) and here on express. However; this is for a specified time of 1 year.

Is it possible to never have it expire and if so how?

My config looks like this where maxAge is now set to default as follows:

const options = {
  // ... snip
  resave: false,
  saveUninitialized: true,
  cookie:{
    maxAge: null
  },
  store: new RedisStore({ client: RedisClient })
};

As a side what is the default maxAge?

According to the docs the default (null) should not be persistent, but if I leave the value at null they are still persisting for some time.

favor
  • 355
  • 2
  • 13
  • 1
    No. Cookies must have an expiration date. Its in the specification of cookies. – atiqorin Nov 17 '21 at 01:05
  • Do you have a link to the spec? Does it spec. a max expiration date? – favor Nov 17 '21 at 01:12
  • https://datatracker.ietf.org/doc/html/rfc6265 – atiqorin Nov 17 '21 at 01:15
  • "If not, is there a maximum maxAge?" I'm pretty sure the maximum maxAge is just the largest integer the browser can handle, so you can safely just set it to the maximum 32-bit integer (2147483647) and that should suit you for the next 68 years or so – Jake Nov 17 '21 at 01:47
  • It is 64 bits anyways ... see here ... https://stackoverflow.com/questions/307179/what-is-javascripts-highest-integer-value-that-a-number-can-go-to-without-losin – favor Nov 17 '21 at 04:05

1 Answers1

0

According to Section 5.3.3 of the cookie spec, if you do not specify a MaxAge or Expires header at all, the user agent will set the cookie to expire at the latest date it can represent (= the maximum integer it can store) which is pretty much inifinite. However, this will set the cookie's persistent flag to false, meaning that the cookie is never stored on the disk and therefore will be deleted the moment the browser closes.

What prevents you from just setting the expiration date to some point way in the future though? 10 years? Maybe 100 years? I don't think you'll ever need to persist a session cookie that long

Jake
  • 2,090
  • 2
  • 11
  • 24