req.session.user is deleted while user is active

up vote
2
down vote

favorite

I set the session timeout to 30 minutes. While I am still active, req.session.user is deleted after 30 minutes. However, the session is still alive. Here's my config (i'm using express-session and passport.js):

app.use(session({

    store: new RedisStore(options),

    secret: <some_secret>,

    resave: false,

    saveUninitialized: false,

    cookie: {maxAge: 1800000}

}));



app.use(passport.initialize());

app.use(passport.session());



// Are these serializer/deserializer needed?

passport.serializeUser((user, done) => {

    done(null, user);

});

passport.deserializeUser((user, done) => {

    done(null, user);

});

In login:

router.post('/login', (req, res, next) => {

    passport.authenticate('ldapauth', {session: false}, (err, user, info) => {

        ...

        if (user) {

            req.session.user = {email: req.body.username};

        }

        next();

    })(req, res);

});

The verify code is like this:

isLoggedIn() {

    if (req.session && req.session.user) {

        return true;

    }

    return false;

}

I set the req.session.user to some object after I successfully logged in.

So, after 30 minutes, req.session.user is deleted, but req.session is still there and keeps on incrementing the expiry date since I am still actively working on the page.

Why is req.session.user deleted after 30 minutes? I thought passport rides on the session by express?

edited Nov 9 at 1:46

Community♦

asked Nov 8 at 9:34

iPhoneJavaDev

2202730

This question has an open bounty worth +50
reputation from iPhoneJavaDev ending in 4 days.

Looking for an answer drawing from credible and/or official sources.

Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago

I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago

Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago

add a comment |

up vote
2
down vote

favorite

app.use(session({

    store: new RedisStore(options),

    secret: <some_secret>,

    resave: false,

    saveUninitialized: false,

    cookie: {maxAge: 1800000}

}));



app.use(passport.initialize());

app.use(passport.session());



// Are these serializer/deserializer needed?

passport.serializeUser((user, done) => {

    done(null, user);

});

passport.deserializeUser((user, done) => {

    done(null, user);

});

In login:

router.post('/login', (req, res, next) => {

    passport.authenticate('ldapauth', {session: false}, (err, user, info) => {

        ...

        if (user) {

            req.session.user = {email: req.body.username};

        }

        next();

    })(req, res);

});

The verify code is like this:

isLoggedIn() {

    if (req.session && req.session.user) {

        return true;

    }

    return false;

}

I set the req.session.user to some object after I successfully logged in.

So, after 30 minutes, req.session.user is deleted, but req.session is still there and keeps on incrementing the expiry date since I am still actively working on the page.

Why is req.session.user deleted after 30 minutes? I thought passport rides on the session by express?

edited Nov 9 at 1:46

Community♦

asked Nov 8 at 9:34

iPhoneJavaDev

2202730

This question has an open bounty worth +50
reputation from iPhoneJavaDev ending in 4 days.

Looking for an answer drawing from credible and/or official sources.

Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago

I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago

Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago

add a comment |

up vote
2
down vote

favorite

app.use(session({

    store: new RedisStore(options),

    secret: <some_secret>,

    resave: false,

    saveUninitialized: false,

    cookie: {maxAge: 1800000}

}));



app.use(passport.initialize());

app.use(passport.session());



// Are these serializer/deserializer needed?

passport.serializeUser((user, done) => {

    done(null, user);

});

passport.deserializeUser((user, done) => {

    done(null, user);

});

In login:

router.post('/login', (req, res, next) => {

    passport.authenticate('ldapauth', {session: false}, (err, user, info) => {

        ...

        if (user) {

            req.session.user = {email: req.body.username};

        }

        next();

    })(req, res);

});

The verify code is like this:

isLoggedIn() {

    if (req.session && req.session.user) {

        return true;

    }

    return false;

}

I set the req.session.user to some object after I successfully logged in.

So, after 30 minutes, req.session.user is deleted, but req.session is still there and keeps on incrementing the expiry date since I am still actively working on the page.

Why is req.session.user deleted after 30 minutes? I thought passport rides on the session by express?

edited Nov 9 at 1:46

Community♦

asked Nov 8 at 9:34

iPhoneJavaDev

2202730

app.use(session({

    store: new RedisStore(options),

    secret: <some_secret>,

    resave: false,

    saveUninitialized: false,

    cookie: {maxAge: 1800000}

}));



app.use(passport.initialize());

app.use(passport.session());



// Are these serializer/deserializer needed?

passport.serializeUser((user, done) => {

    done(null, user);

});

passport.deserializeUser((user, done) => {

    done(null, user);

});

In login:

router.post('/login', (req, res, next) => {

    passport.authenticate('ldapauth', {session: false}, (err, user, info) => {

        ...

        if (user) {

            req.session.user = {email: req.body.username};

        }

        next();

    })(req, res);

});

The verify code is like this:

isLoggedIn() {

    if (req.session && req.session.user) {

        return true;

    }

    return false;

}

I set the req.session.user to some object after I successfully logged in.

So, after 30 minutes, req.session.user is deleted, but req.session is still there and keeps on incrementing the expiry date since I am still actively working on the page.

Why is req.session.user deleted after 30 minutes? I thought passport rides on the session by express?

node.js passport.js

edited Nov 9 at 1:46

Community♦

asked Nov 8 at 9:34

iPhoneJavaDev

2202730

edited Nov 9 at 1:46

Community♦

asked Nov 8 at 9:34

iPhoneJavaDev

2202730

edited Nov 9 at 1:46

Community♦

edited Nov 9 at 1:46

Community♦

edited Nov 9 at 1:46

Community♦

asked Nov 8 at 9:34

iPhoneJavaDev

2202730

asked Nov 8 at 9:34

iPhoneJavaDev

2202730

asked Nov 8 at 9:34

iPhoneJavaDev

2202730

This question has an open bounty worth +50
reputation from iPhoneJavaDev ending in 4 days.

Looking for an answer drawing from credible and/or official sources.

This question has an open bounty worth +50
reputation from iPhoneJavaDev ending in 4 days.

Looking for an answer drawing from credible and/or official sources.

Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago

I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago

Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago

add a comment |

Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago

I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago

Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago

Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago

I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago

Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago

add a comment |

1 Answer
1

active

oldest

votes

up vote
-1
down vote

From: https://www.npmjs.com/package/connect-redis

ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.

You can avoid deleting keys by setting disableTTL:

disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)

answered 2 days ago

niry

1,2991021

I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago

Did you try actually it?
– niry
yesterday

At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday

add a comment |

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53204922%2freq-session-user-is-deleted-while-user-is-active%23new-answer', 'question_page');
}
);

Post as a guest

Name

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

up vote
-1
down vote

From: https://www.npmjs.com/package/connect-redis

ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.

You can avoid deleting keys by setting disableTTL:

disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)

answered 2 days ago

niry

1,2991021

I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago

Did you try actually it?
– niry
yesterday

At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday

add a comment |

up vote
-1
down vote

From: https://www.npmjs.com/package/connect-redis

ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.

You can avoid deleting keys by setting disableTTL:

disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)

answered 2 days ago

niry

1,2991021

I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago

Did you try actually it?
– niry
yesterday

At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday

add a comment |

up vote
-1
down vote

From: https://www.npmjs.com/package/connect-redis

ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.

You can avoid deleting keys by setting disableTTL:

disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)

answered 2 days ago

niry

1,2991021

From: https://www.npmjs.com/package/connect-redis

ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.

You can avoid deleting keys by setting disableTTL:

disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)

answered 2 days ago

niry

1,2991021

answered 2 days ago

niry

1,2991021

answered 2 days ago

niry

1,2991021

answered 2 days ago

niry

1,2991021

I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago

Did you try actually it?
– niry
yesterday

At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday

add a comment |

I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago

Did you try actually it?
– niry
yesterday

At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday

I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago

Did you try actually it?
– niry
yesterday

At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday

add a comment |

draft saved

draft discarded

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Name

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Agfdhyk