Closed multimeric closed 4 years ago
dead-horse
commented
8 years ago if you set cookie's maxage, the client side browser will destroy the cookie after maxage. but somebody can record the cookie and request your server with this cookie after maxage, so your store should handle the TTL(koa-generic-session will parse cookie's maxage and pass to store.set).
multimeric
commented
8 years ago Yes I understand the difference between maxAge and ttl, I'm just wondering if it's my responsibility to implement the ttl. From your response, I would seem so.
multimeric
commented
8 years ago Also regarding store implementation, can you shed some light on #48?
I've implemented my particular store (TMiguelT/koa-pg-session) such that I return the session data even if the session's TTL has passed. Am I meant to return null if TTL has passed, or is this supposed to be handled by the generic-session module?
I ran a basic test where I see if data is persisted after the TTL with the MemoryStore module, and nothing was returned (working correctly) versus my own postgres module, which still returned data, so I assume it's my responsibility, is this true?