Optional
absoluteInteger value, in seconds, for application absolute rolling duration.
The amount of time after the user has logged in that they will be logged out.
Set this to false
if you don't want an absolute duration on your session.
Default is 604800 seconds (7 days).
Optional
cookieConfiguration parameters used for the session cookie and transient cookies.
Optional
genidA Function for generating a session id when using a custom session store. For full details see the documentation for express-session at genid.
Be aware the default implementation is slightly different in this library as compared to the default session id generation used in express-session.
IMPORTANT If you override this method you should be careful to generate
unique IDs so your sessions do not conflict. Also, to reduce the ability
to hijack a session by guessing the session ID, you must use a suitable
cryptographically strong random value of sufficient size or sign the cookie
by setting {@Link signSessionStoreCookie} to true
.
Optional
nameString value for the cookie name used for the internal session.
This value must only include letters, numbers, and underscores.
Default is appSession
.
Optional
requireIf you enable {@Link signSessionStoreCookie} your existing sessions will be invalidated. You can use this flag to temporarily allow unsigned cookies while you sign your user's session cookies. For example:
Set {@Link signSessionStoreCookie} to true
and {@Link requireSignedSessionStoreCookie} to false
.
Wait for your {@Link rollingDuration} (default 1 day) or {@Link absoluteDuration} (default 1 week)
to pass (which ever comes first). By this time all your sessions cookies will either be signed or
have expired, then you can remove the {@Link requireSignedSessionStoreCookie} config option which
will set it to true
.
Signed session store cookies will be mandatory in the next major release.
Optional
rollingIf you want your session duration to be rolling, eg reset everytime the
user is active on your site, set this to a true
. If you want the session
duration to be absolute, where the user is logged out a fixed time after login,
regardless of activity, set this to false
Default is true
.
Optional
rollingInteger value, in seconds, for application session rolling duration. The amount of time for which the user must be idle for then to be logged out. Default is 86400 seconds (1 day).
Optional
signSign the session store cookies to reduce the chance of collisions and reduce the ability to hijack a session by guessing the session ID.
This is required if you override {@Link genid} and don't use a suitable cryptographically strong random value of sufficient size.
Optional
storeBy default the session is stored in an encrypted cookie. But when the session
gets too large it can bump up against the limits of cookie storage.
In these instances you can use a custom session store. The store should
have get
, set
and destroy
methods, making it compatible
with express-session stores.
Configuration parameters used for the application session.