Keep new session when refresh page in nodejs

Question

Keep new session when refresh page in nodejs

i have got 0.8.21 nodejs and 3.1.0 express framework (modules are latest). there is famous heroku project with express, mongodb and passport auth:

https://github.com/madhums/nodejs-express-mongoose-demo

Session storage:

  var express = require('express')
    , mongoStore = require('connect-mongo')(express)

  ...

  app.use(express.logger('dev'))

  // set views path, template engine and default layout
  app.set('views', config.root + '/app/views')
  app.set('view engine', 'jade')

  app.configure(function () {
    // dynamic helpers
    app.use(viewHelpers(config))

    // cookieParser should be above session
    app.use(express.cookieParser())

    // bodyParser should be above methodOverride
    app.use(express.bodyParser())
    app.use(express.methodOverride())

    // express/mongo session storage
    app.use(express.session({
      secret: 'noobjs',
      store: new mongoStore({
        url: config.db,
        collection : 'sessions'
      })
    }))

    // connect flash for flash messages
    app.use(flash())

    // use passport session
    app.use(passport.initialize())
    app.use(passport.session())

    app.use(express.favicon())

    // routes should be at the last
    app.use(app.router)

    ...

QUESTION: I want users to log in only for 70 seconds, so i wrote cookie: {maxAge: 70*1000}, after app.use(express.session({ and what happens: users can walk via site only 70 seconds, than they are logged out. IF user refresh page or go over link, session UPDATED to database like:

{ "_id" : "cVYWfv7kHbaEPNUCD2Bbbaw4",
  "session" : "{\"cookie\":{\"originalMaxAge\":70000,\"expires\":\"2013-03-02T14:46:52.146Z\",\"httpOnly\":true,\"path\":\"/\"},\"passport\":{\"user\":\"51320f3fd04c162d14000003\"},\"flash\":{}}",
  "expires" : Date( 1362235612146 ) }

BUT ANYWAY USER IS LOGGED ON ONLY 70 SECONDS. I mean that session updates to mongodb, new expires date, BUT user STILL CAN BE LOGGED ON only 70 second SINCE LOG IN.

Help me, please. Thank you.

node.js
mongodb
session
express
passport.js

Answer 1

I suppose connect-mongo maintains a TTL index over sessions which check after 1 minute interval whether to delete a sessions or not. So you can only have your sessions expired like in 1 minute, 2 minute or k minutes, k being integer. You can't have your sessions deleted otherwise IF using connect mongo expiration logic.

What you can do

Either write the logic yourself for the custom expiration ignoring what connect mongo is doing. (bogus method)
OR After 70 seconds simply delete the cookie in browser. Write a javascript code which do so. Though there is one downside that still a user might disable javascript on his end and let the cookie live and it might be possible that he can continue his session to 120 seconds @ max (assuming you have your expires set to 70 seconds). If those 50 seconds can be compromised in such a case then you can go with this quick elegant fix.