search

fastify / fastify-secure-session

Create a secure stateless cookie session for Fastify
MIT License
206 stars 47 forks source link

No way to update session expiration #225

Closed vostrnad closed 6 months ago

vostrnad commented 6 months ago

Prerequisites

Issue

I got a little confused by this code snippet in the README:

fastify.get('/ping', (request, reply) => {
  request.session.options({maxAge: 3600})

  // Send the session cookie to the client even if the session data didn't change
  // can be used to update cookie expiration
  request.session.touch()
  reply.send('pong')
})

It turns out this does not change when the session expires, it only changes what Max-Age is sent to the browser. I looked around and didn't find a way to actually extend a session. Is this intentional, or is it a missing feature that could be added?

mcollina commented 6 months ago

This is by design. You can increase the expiry in the plugin config. Otherwise a leaked session cookie could persist forever.