Interface SessionConfigParams

Configuration parameters used for the application session.

Hierarchy

  • SessionConfigParams

Properties

absoluteDuration?: number | boolean

Integer value, in seconds, for application absolute rolling duration. The amount of time after the user has logged in that they will be logged out. Set this to false if you don't want an absolute duration on your session. Default is 604800 seconds (7 days).

Configuration parameters used for the session cookie and transient cookies.

genid?: ((req) => string | Promise<string>)

Type declaration

    • (req): string | Promise<string>
    • A Function for generating a session id when using a custom session store. For full details see the documentation for express-session at genid.

      Be aware the default implementation is slightly different in this library as compared to the default session id generation used in express-session.

      IMPORTANT If you override this method you should be careful to generate unique IDs so your sessions do not conflict. Also, to reduce the ability to hijack a session by guessing the session ID, you must use a suitable cryptographically strong random value of sufficient size or sign the cookie by setting {@Link signSessionStoreCookie} to true.

      Parameters

      Returns string | Promise<string>

name?: string

String value for the cookie name used for the internal session. This value must only include letters, numbers, and underscores. Default is appSession.

requireSignedSessionStoreCookie?: boolean

If you enable {@Link signSessionStoreCookie} your existing sessions will be invalidated. You can use this flag to temporarily allow unsigned cookies while you sign your user's session cookies. For example:

Set {@Link signSessionStoreCookie} to true and {@Link requireSignedSessionStoreCookie} to false. Wait for your {@Link rollingDuration} (default 1 day) or {@Link absoluteDuration} (default 1 week) to pass (which ever comes first). By this time all your sessions cookies will either be signed or have expired, then you can remove the {@Link requireSignedSessionStoreCookie} config option which will set it to true.

Signed session store cookies will be mandatory in the next major release.

rolling?: boolean

If you want your session duration to be rolling, eg reset everytime the user is active on your site, set this to a true. If you want the session duration to be absolute, where the user is logged out a fixed time after login, regardless of activity, set this to false Default is true.

rollingDuration?: number

Integer value, in seconds, for application session rolling duration. The amount of time for which the user must be idle for then to be logged out. Default is 86400 seconds (1 day).

signSessionStoreCookie?: boolean

Sign the session store cookies to reduce the chance of collisions and reduce the ability to hijack a session by guessing the session ID.

This is required if you override {@Link genid} and don't use a suitable cryptographically strong random value of sufficient size.

By default the session is stored in an encrypted cookie. But when the session gets too large it can bump up against the limits of cookie storage. In these instances you can use a custom session store. The store should have get, set and destroy methods, making it compatible with express-session stores.