Update default express-session expiration (#1406)

rooseveltframework · May 13, 2024 · 4fb4e21 · 4fb4e21
1 parent 1668d54
commit 4fb4e21
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 ## Next version
 
-- Put your changes here...
+- Added a max age to the default express-session configuration.
 
 ## 0.22.6
 

diff --git a/README.md b/README.md
@@ -550,14 +550,17 @@ Resolves to:
         "saveUninitialized": false, // usually a bad idea to set to true
         "cookie": {
           "secure": false, // will automatically be set to true if https is enabled
-          "sameSite": "strict" // adds same site enforcement
+          "sameSite": "strict", // adds same site enforcement
+          "maxAge": 347126472000 // sets expiration very far in the future (~11 years) to basically never expire
         }
         "store": [the expressSessionStore.instance Roosevelt param]
       }
       ```
 
       - Roosevelt sets `express-session` to use [memorystore](https://github.com/roccomuso/memorystore) as the default session store.
 
+      - The default setting for `maxAge` is ~11 years. You should set that to be shorter in use cases where you want sessions to expire regularly, e.g. if you want users to reauthorize and login again frequently for security reasons. 
+
   - If you supply your own parameters to `express-session`, it is recommended you take the above default configuration and modify it.
 
 - `expressSessionStore`: Define a custom session store to use with `express-session` instead of the default one provided by Roosevelt. This is recommended if you plan to shard your app across multiple separate processes or scale it to multiple servers.

diff --git a/lib/setExpressConfigs.js b/lib/setExpressConfigs.js
@@ -86,7 +86,8 @@ module.exports = function (app) {
         saveUninitialized: false,
         cookie: {
           secure: params.https.enable,
-          sameSite: 'strict'
+          sameSite: 'strict',
+          maxAge: 347126472000 // set very far in the future (~11 years) to basically never expire
         }
       }
     } else {