ExpressJS session expiring despite activity

Question

Bringing this question to SO since the express group didn't have an answer.

I'm setting the session maxAge = 900000 and I see that the the expires property on the session cookie is set correctly. However, on subsequent requests the timeout is not being extended. It is never extended and the cookie eventually expires.

The session middleware docs say that Session#touch() isn't necessary because the session middleware will do it for me. I actually tried calling req.session.touch() manually and that did nothing, I also tried setting the maxAge on the req.session.cookie as well and that did nothing :-(

Am I missing a setting somewhere to automatically extend active sessions? Short of recreating the cookie manually on each request is there any other way to extend a session timeout after end-user activity?

---

EDIT: I experienced this problem in express v3. I'm not 100% sure but I think this note from the express changelog may have been the culprit:

• changed session() to only set-cookie on modification (hashed session json)

Answer 1

Rolling sessions now exist in express sessions. Setting the rolling attribute to true in the options, it will recalculate the expiry value by setting the maxAge offset, applied to the current time.

https://github.com/expressjs/session/issues/3

https://github.com/expressjs/session/issues/33

https://github.com/expressjs/session (search for rolling)

For example, note the rolling:

app.use(session({   secret: 'a secret',   cookie: {     path: '/',     httpOnly: true,     secure: false,     maxAge: 10 * 60 * 1000   },   rolling: true })); 

Answer 2

Here is the solution in case anyone else has the same issue:

function (req, res, next) {      if ('HEAD' == req.method || 'OPTIONS' == req.method) return next();      // break session hash / force express to spit out a new cookie once per second at most     req.session._garbage = Date();     req.session.touch();      next();  }