Possible bug in session createdAt update

[milenkovyua]

I used to have the situation where the user's browser check in for session validity and redirect the user to the login page when the session expires. I used a route who call your decode function (and bypass the client-sessions midleware) with the session cookie value, and it worked great until I noticed that the value of createdAt in the returned object is after the current time(which is incorrect). as in my code I check for session validity if the current time is between the createdAt and (createdAt + duration), but with this bug this will never be true, just because the createdAt is set to (createdAt+duration) which actually point the time the session will expire, and createdAt+duration becomes (createdAt+2*duration). this make the entire session with twice the activeDuration value longer, than it must be (or actually invalid).

after further inspections I figured out your bug is at line 495, where the following code: this.createdAt += this.activeDuration; must become this.createdAt = new Date().getTime(); or something else which will return the current time in miliseconds.

[seanmonstar]

The idea of the activeDuration is to not expire a user's session while they are actively interacting with your site. If we pick an activeDuration of 15 minutes, this means that if a user interacts with your site and has less than 15 minutes before expiration, the expiration period will be pushed out 15 minutes into the future.

[milenkovyua]

In my case the activeDuration is equal to the session duration, which cause the session createdAt to become createdAt+activeDuration, and the session to becomes twice longer than it must be. I think you must handle this scenario separately.