Menu
I am newbie with the MEAN stack. I read the express-session github doc but there are some options which are unclear to me. Those options are saveUninitialized and resave.
Can anyone please explain with examples what are the advatanges of using saveUninitialized and resave, and what will the effect be if we change the boolean values in those options.
Syntax:-
app.use(session({ resave: false, saveUninitialized: true, })) 
262
We can use the express-session package to keep session cookie data on the server-side. There're many options like the content of various cookie attributes and the time to expiry. Other settings like the ID, whether to save cookie only in HTTPS and so on can be set. The cookies will be stored in a session store.
With express-session in particular, it has a built-in "not-meant-for-production" memory store (so session data is kept in memory and would not survive a server restart).
The Express session middleware... calculates a hash over the combination of the session id and a secret. Since calculating the hash requires possession of the secret, an attacker will not be able to generate valid session ids without guessing the secret (or just trying to guess the hash).
Express-session - an HTTP server-side framework used to create and manage a session middleware. This tutorial is all about sessions. Thus Express-session library will be the main focus. Cookie-parser - used to parse cookie header to store data on the browser whenever a session is established on the server-side.
Let's assume that sessions are enabled globally (for all requests).
When a client makes an HTTP request, and that request doesn't contain a session cookie, a new session will be created by express-session. Creating a new session does a few things:
req.session saveUninitialized, at the end of the request, the session object will be stored in the session store (which is generally some sort of database)If during the lifetime of the request the session object isn't modified then, at the end of the request and when saveUninitialized is false, the (still empty, because unmodified) session object will not be stored in the session store.
The reasoning behind this is that this will prevent a lot of empty session objects being stored in the session store. Since there's nothing useful to store, the session is "forgotten" at the end of the request.
When do you want to enable this? When you want to be able to identify recurring visitors, for example. You'd be able to recognize such a visitor because they send the session cookie containing the unique id.
About resave: this may have to be enabled for session stores that don't support the "touch" command. What this does is tell the session store that a particular session is still active, which is necessary because some stores will delete idle (unused) sessions after some time.
If a session store driver doesn't implement the touch command, then you should enable resave so that even when a session wasn't changed during a request, it is still updated in the store (thereby marking it active).
So it entirely depends on the session store that you're using if you need to enable this option or not.
158
One thing to note is that if you set saveUninitialized to false, the session cookie will not be set on the browser unless the session is modified. That behavior may be implied but it was not clear to me when I was first reading through the documentation.
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
