Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's exactly the meaning of "saveUninitialized","resave" and "rolling" properties in express-session?

Recently,I'm learning about the middleware "express-session" of express, I want to understand all properties in the given options.But when I read about the API of express-session, I'm confused with the three

properties:saveUninitialized, resave and rolling.

They all have an effect on cookie setting or session operation, so what's the difference and connection of them?

Hope somebody can help me to distinguish them,

Thanks a lot!

like image 307
Winder Avatar asked Jan 15 '16 03:01

Winder


People also ask

What is resave and Saveuninitialized in Express session?

resave : It basically means that for every request to the server, it reset the session cookie. Even if the request was from the same user or browser and the session was never modified during the request.

What is secret in Express session?

Express-session options and how to use them secret - a random unique string key used to authenticate a session. It is stored in an environment variable and can't be exposed to the public. The key is usually long and randomly generated in a production environment. resave - takes a Boolean value.

Where is session data stored in Express session?

With express-session in particular, it has a built-in "not-meant-for-production" memory store (so session data is kept in memory and would not survive a server restart).

How do express sessions work?

Express. js uses a cookie to store a session id (with an encryption signature) in the user's browser and then, on subsequent requests, uses the value of that cookie to retrieve session information stored on the server.


1 Answers

When a modern browser makes a request, it appends all cookies that match the current domain (website) in the Cookie header. Here's an example of what my browser might send if I visit stackoverflow.com:

Cookie: acct=1234

No cookies are sent by the browser when you visit a site for the first time. In that case (and if the owner wanted to utilise cookies to track user sessions, for example) the server will commonly respond with a Set-Cookie header, something like this:

Set-Cookie: acct=5678; expires=Sat, 15 May 2050 15:32:57 GMT; domain=.stackoverflow.com

(It can also append path, secure, and HttpOnly options, all explained here) I'm simplifying but, by default, express-session only sends Set-Cookie when you visit a site for the first time.

If rolling is true, it will be sent every time. This has the desired side-effect of continuously rolling forward the expiration of the cookie with every page refresh. The new expiration date is determined by adding maxAge to the current server time.

If you alter the req.session object, it will be saved back to the session store at the end of the request; otherwise it will not be saved. Setting resave to true forces it to be saved everytime, even if no changes were made. It might seem illogical but certain stores might require this (although, having looked through the list, it seems that none currently do).

When a cookie is set for the first time, a new session object is created in memory and saved to the store at the end of the request. This can take up a lot of space in the db if you have many people visiting and then bouncing without performing any meaningful action like logging in. You can choose to only save sessions if they deviate from the default session object (ie. if you've modified it, like setting req.session.user = user; on login) by setting saveUninitialized to false.

Something to be aware of is certain combinations of these values (along with others) might produce unexpected behaviour. For example, the documentation states:

When this option [rolling] is set to true but the saveUninitialized option is set to false, the cookie will not be set on a response with an uninitialized session.

like image 155
Alex Alksne Avatar answered Nov 16 '22 00:11

Alex Alksne