How to make session last maximum of 30 days using client-sessions duration and activeDuration

Question

According to https://github.com/mozilla/node-client-sessions#usage

var sessions = require("client-sessions");
app.use(sessions({
  cookieName: 'mySession', // cookie name dictates the key name added to the request object
  secret: 'blargadeeblargblarg', // should be a large unguessable string
  duration: 24 * 60 * 60 * 1000, // how long the session will stay valid in ms
  activeDuration: 1000 * 60 * 5 // if expiresIn < activeDuration, the session will be extended by activeDuration milliseconds
}));

I want my users' sessions to be active for a maximum of 30 days. If I set duration to 30 days and activeDuration to 30 days, I think I'll end up with 60 day long sessions.

If I set duration to 15 days and activeDuration to 15 days, won't a user who logs in and then does nothing at all be logged out in 15 days (not that I expect that kind of user behavior, but is my assumption correct?)

All I want is for every time a user comes to the site to get 30 days before they need to re-login. How do I get that behavior?

Answer 1

You can use express-session NPM to achieve your functionality:

Here is the code and reference links:

CODE:

let session = require('express-session')
let time = new Date(Date.now() + (30 * 86400 * 1000))
let app = express()
let sess = {
  secret: 'keyboard_cat',
  cookie: { maxAge: time }
}

if (app.get('env') === 'production') {
  app.set('trust proxy', 1) // trust first proxy
  sess.cookie.secure = true // serve secure cookies
}

app.use(session(sess))

app.use(session({
  genid: function(req) {
    return genuuid() // use UUIDs for session IDs
  },
  secret: 'keyboard cat'
}))

//call your route and do session things here
app.get('/', function(req, res, next) {
  if (req.session.views) {
    req.session.views++
    res.setHeader('Content-Type', 'text/html')
    res.write('<p>views: ' + req.session.views + '</p>')
    res.write('<p>expires in: ' + (req.session.cookie.maxAge / 1000) + 's</p>')
    res.end()
  } else {
    req.session.views = 1
    res.end('welcome to the session demo. refresh!')
  }
})

For more refer this links:

NPM package

example

Answer 2

UPDATE 3:

I was thinking about an easier way using your original configuration. try to set duration to one day and activeDuration to 30. Or for testing purposes, set duration to 1 minute and activeDuration to 5 minutes and log in and use the site withing the first minute and then again in 3 minutes. See if that would work.

---

UPDATE 2:

To make things clearer In my last update I was referring to a different connect middleware the express-session middleware. usage:

npm install express-session

then:

var session = require('express-session')
app.use(sessions({
secret: 'blargadeeblargblarg',
cookie: {expires = new Date(Date.now() + (30 * 86400 * 1000))}  
}));

app.use(function(req, res, next) {
  // Here you implement a function to load the session if it's valid
  // you check whether the req.session.cookie.expires is < now and if it is
  // you call req.session.reload(callback function after reloading has completed)
  next();
});

for more information:

https://github.com/expressjs/session

UPDATE:

Basically you are asking for something similar to a timeout. Remove both duration and activeDuration and use this instead: expires: new Date(Date.now() + (30 * 86400 * 1000)) this will mean that once a user login, every time they use your site they get their session renewed by 30 days from the time of last access.

---

If you need the user to log in after 30 days, then I would set activeDuration to 0. This way the session will never be extended beyond 30 days even if the user is active and they would have to log in again.

activeDuration is the period of time before session expiration in which if the user is active, the session will be extended by that duration.

For example: you set duration to 30 days and activeDuration to 5 days. Say the user becomes active 4 day before session ends. This way they get an additional 5 days on top of the original 30 days. Say the become active again in the extra 5 days. Then they get another 5 days on top of the 35 days now. So this means if the user stays active the session never expires.