Updating cookie session in express not registering with browser

Question

I\'ve set up a working login test as follows:

var express = require(\'express\');
var fs = require(\'fs\');
var http = require(\'http\');
var path = require(         


        

Answer 1

After some digging it turns out Express does not support this sort of rolling, and is left as an exercise for the programmer to implement.

It would help if the browsers expirary was reliably readable to express, so you could bump the session only when it's close to expirary, but I use this as a workaround (inefficient) until I figure something smarter out:

check_auth = function(req, res, next) {
  console.log(req.isAuthenticated());
  if (req.isAuthenticated()) {
    if (req.session.roll) {
      req.session.roll = 0;
    } else {
      req.session.roll = 1;
    }
    return next();
  }
  return res.redirect('/login');
};

Where roll could be anything, the point being the session is changed (on every auth-checked request*).

*) which also means it's wildly inefficient, but it will do for now.

One alternative could be to lookup the TTL of the session id. This would have to be checked in a way like: if ttl < 10% * maxAge (as defined by the app), as the TTL is actually correctly updated on every request, it's just that Set-Cookie isn't sent. As such, say the user stays within the 90% of maxAge, his browser-cookie will eventually expire, so even that approach is not sufficient. It could be a good middleground though.

I'll leave the question unaccepted, to encourage others to weigh in with better solutions.