Support manually roll the cookie?

[zhaoyao91]

To extend the session in the client side, by now I have to set the rolling field to true, but that would cause every request carries the set cookie header.

Could provide a method such as req.session.rollCookie() which allow us roll client side cookie manually?

[dougwilson]

To clarify: you want the behavior of rolling: true, but you just want to be able to choose which responses will have the set-cookie header instead of every response, is that correct?

[zhaoyao91]

@dougwilson yeah, exactly

[HarshithaKP]

@zhaoyao91 Setting rolling: true mainly used to refresh set-cookie header(maxAge) for all incoming requests, if the need is to refresh cookie maxAge only for selected requests, I think that can be done manually on requests without setting rolling :true

[HarshithaKP]

manually on requests without setting rolling :true

I mean selectively on a per request basis. For example :

if (on some condition) {
  req.session.cookie.maxAge = ...
}

[Piccirello]

I too would like this feature. I want to set the cookie in the response of any html pages I render, but not for static assets (js, css, etc.). The only way to do this now is to reproduce the call to cookie.setcookie() locally, which doesn't seem like a great idea. I also acknowledge that serving static assets from node isn't a best practice, but sometimes simplicity wins.

[dougwilson]

Hi @Piccirello I think this is a different use-case. For example, with static files, it probably isn't just that you don't want to roll the cookie, but do you even need to go through all the work to load the session at all? If you structure to not invoke the session middleware for static assets, it would not only not roll on those responses, but skip all the work of loading the session in those cases as well.

[Piccirello]

@dougwilson I was able to implement a better solution based on your info. Thanks for the help!

[JiaJiaJiang]

I have some pieces of advice here:

• When rolling and resave off, just do an expires renew without changing session value won't trigger cookie and store update. May isModified method take cookie.expire together in hash result, so the cookie and session can be updated by just changing the maxAge or expires value without any changing on session value.
• I found that the shouldSetCookie method use session's isModified method as a condition, can we replace it by isCookieModified method so the cookie won't be set if there's nothing changed on itself.
• Auto touch() at the end of the response confused me 2 days until I read the code, how about add an option to disable this feature because someone like me don't want to renew cookie time by originalMaxAge after changing session value.

[nwalters512]

I'm running into this too. For context: we're using Postgres as a session store and we've implemented touch() on the store. However, this results in express-session writing to the store on every single request, which causes lots of write load (and the need to vacuum tons of dead tuples).

We would ideally want behavior like the following:

• If the session has changed (that is, if someone writes to req.session with something like req.session.flash = 'message', we will save the session and update the cookie. This is the existing and default behavior.
• If the session has not changed, don't touch the session or update the cookie. However, if it's been more than 1 hour since the cookie was issued, reissue the cookie with a new expires and persist the session to the store.

We can get halfway there by making touch() on our store a no-op. My hope was that writing to req.session.cookie.expires or req.session.cookie.maxAge would make the usual "set a new cookie and save the session" machinery kick in, but that doesn't appear to be the behavior.

I know I can use rolling: true to constantly update the session cookie, but that will also still constantly write an updated session to the store, which I'm trying to avoid.

Am I trying to use this library incorrectly? There seems to be an awful lot of friction associated with my goal of not writing to the session store on every request and automatically extending the session after a certain amount of time since the last extension.