Recently,I'm learning about the middleware "express-session" of express, I want to understand all properties in the given options.But when I read about the API of express-session
, I'm confused with the three
properties:saveUninitialized
, resave
and rolling
.
They all have an effect on cookie setting or session operation, so what's the difference and connection of them?
Hope somebody can help me to distinguish them,
Thanks a lot!
resave : It basically means that for every request to the server, it reset the session cookie. Even if the request was from the same user or browser and the session was never modified during the request.
Express-session options and how to use them secret - a random unique string key used to authenticate a session. It is stored in an environment variable and can't be exposed to the public. The key is usually long and randomly generated in a production environment. resave - takes a Boolean value.
With express-session in particular, it has a built-in "not-meant-for-production" memory store (so session data is kept in memory and would not survive a server restart).
Express. js uses a cookie to store a session id (with an encryption signature) in the user's browser and then, on subsequent requests, uses the value of that cookie to retrieve session information stored on the server.
When a modern browser makes a request, it appends all cookies that match the current domain (website) in the Cookie
header. Here's an example of what my browser might send if I visit stackoverflow.com:
Cookie: acct=1234
No cookies are sent by the browser when you visit a site for the first time. In that case (and if the owner wanted to utilise cookies to track user sessions, for example) the server will commonly respond with a Set-Cookie
header, something like this:
Set-Cookie: acct=5678; expires=Sat, 15 May 2050 15:32:57 GMT; domain=.stackoverflow.com
(It can also append path
, secure
, and HttpOnly
options, all explained here) I'm simplifying but, by default, express-session
only sends Set-Cookie
when you visit a site for the first time.
If rolling
is true
, it will be sent every time. This has the desired side-effect of continuously rolling forward the expiration of the cookie with every page refresh. The new expiration date is determined by adding maxAge
to the current server time.
If you alter the req.session
object, it will be saved back to the session store at the end of the request; otherwise it will not be saved. Setting resave
to true
forces it to be saved everytime, even if no changes were made. It might seem illogical but certain stores might require this (although, having looked through the list, it seems that none currently do).
When a cookie is set for the first time, a new session object is created in memory and saved to the store at the end of the request. This can take up a lot of space in the db if you have many people visiting and then bouncing without performing any meaningful action like logging in. You can choose to only save sessions if they deviate from the default session object (ie. if you've modified it, like setting req.session.user = user;
on login) by setting saveUninitialized
to false
.
Something to be aware of is certain combinations of these values (along with others) might produce unexpected behaviour. For example, the documentation states:
When this option [rolling] is set to true but the saveUninitialized option is set to false, the cookie will not be set on a response with an uninitialized session.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With