0

I'm using express/nodejs to store sesssion logged-in to redis with the code:

app.use(express.session({
    key: 'myappname.sid',
    secret: "Some Secret!!!",
    store : new RedisStore({
        host : '127.0.0.1',,
        port : 6379,
    }),
    cookie : {
        maxAge : 604800 // one week
    }
}));

I check logged in status by:

function ensureAuthenticated(req, res, next) {
  if (req.isAuthenticated()) { return next(); }
      res.redirect('/login')
}

When i loggin successfully, i saw the session of both chrome cookie and redis. But if i remove only one session on chrome cookie or redis, app will be no loggin status. Why does authenticating status depend on both chrome cookie and redis.

second question: I added domain like this 

cookie : {
domain:"localhost", // or ".localhost"
maxAge : 604800 // one week
 }

but when loggin successfully, no session store on chrome cookie, why this ?

Improve this question

2 Answers 2

Reset to default
1

For your second question, maxAge for cookie takes time in milliseconds. Your cookie would expire in 604 seconds.

For the first one, that is the correct way web security should work.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for your answer. About second question, it does not depend on maxAge.
0

Answer for question 1. With localhost , we need two dot with subdomain like sub1.app.localhost How do I make my sessions last cross-subdomain in Node.js Express?

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.