In a web app am developing using express.js am having a problem expiring sessions when a user has not been active for more than 10 minutes. Am using connect-couchdb as the session store.
I tried setting the req.session.cookie.maxAge = 600000. But this causes the session to expire 10 mins after logging in irrespective of user activity. My understanding of the documentation is that req.session.touch() will be called automatically by the connect middleware and hence maxAge (and the expires date) should get refreshed so it lasts another 10 mins, but it is not happening!!
I also tried setting maxAge to 600000 on each request and calling req.session.save() but even then there is no effect.
What am I doing wrong?
You are not doing anything wrong---this is a bug in Connect. The session cookie gets updated in the server, but not pushed to the client, and so the client keeps trying to use the old cookie, which will expire sooner than you want.
More details and discussion here.
Related
In my MVC Core application I'm using sessions to track logins. This works great, but is an issue when my web application goes idle/restarts, as the sessions clears and all users gets logged out. I've modified my application to store the session data in a database caching-table, through calling and setting services.AddDistributedSqlServerCache(options) & services.AddSession(options) in the Startup ConfigureServices method, as well as calling app.UseSession() in the Configure method.
I seem to have done everything correctly; when a new client for the first time sets a session value it's saved in the caching-table, and when Sesion.Get is called the session ExpiresAtTime table-value updates.
So, considering that the session data is saved to the table, why is it not being grabbed on restarts? It isn't a cookie issue, the cookie expiration value is set to 10 years, and the session idle timeout value is set to 2 weeks. It seems like the Session data is just being handled through IIS memory, yet is being saved to my caching db-table, which I find very weird.
I am implementing Identityserver where sliding expiration value is set at client side. So is it secure?
Does asp.net session timeout work in similar way? i.e. client side comparison?
Just need theory about whether session timeout is client side thing or server side thing.
What exactly happens when session timeout. Cookie clear or any server value clear?
Sliding expiration means that each time the session is accessed it will reset the timer back to 20 minutes again.
Also, by default sliding expiration is used so you don't need to write any code.
If the user does not access the session for the timeout period then the session will expire. If the user accesses the session at(for instance) 3:01 then the session will expire at 3:21. If the user accesses the session at 3:10 then the session will then expire at 3:30. It is always 20 minutes after the user last accessed the session (that is the meaning of sliding expiration). If the user does not access the session in that 20 minutes then the session will expire.
Hope the answer gets you a glimpse of sliding expiration...
Lets say session for an application is opened and its session expiry time is 15 min.
Scenarios:
Leaving the application for 15 min and doing some action after that - leading to Login Page.
In other way I am removing the Browser cookies by using (Ctrl+Shift+Del) and trying to navigate in the application - leading to Login Page.
The Question is: Will both of the above cases were one and the same or will there be any difference in the behavior.
The first scenario is based on a cookie expiring while the second one will have the cookie removed.
If you are guaranteed the refresh for the first case is made after the cookie expired, then the client behaviour will be the same (login page) although the internal workings will be different (check the cookie exists vs check its expiry date)
If you can't guarantee the operation will happen after the cookie expiry, then you won't get the same outcome.
Depending on what you do on the server, you might end up with multiple sessions for the same user in the second case, because the server doesn't know the user has deleted the cookie (there are mechanisms to compensate for this though).
In my web application(jsp/servlet) there is a web page which create Ajax request periodically to grab the latest data from the server.This page is the main page which is always open once user log in to the system while other pages open in new browser windows(due to user events).
I have to invalidate the user session which idle for more than 30 minutes. For that I use Tomcat session timeout feature. But the thing is most of the time users session which are idle for 30 min are not invalidated.
But some time user sessions are invalidated by Tomcat after 30 min. I think this is because the main page send Ajax request periodically without idling the session.
I want to know that is Tomcat can't identified the auto generated request from user event and invalidate session properly.Please give an ideas on this,it will be very helpful for me.
Dinesh
I don't think you have a choice here - if Tomcat identifies and ignores the AJAX request, you'll lose the functionality it provides for you
I am working on a e-commerce project using the Auth Component for authentication and Sessions Component for storing my cart.
The problem is that the session gets cleared abruptly after a while even when I am actively browsing the site. I know this should be because of the Session timeout but just increasing the timeout value is not the solution I am looking for.
I want the session to expire only when a user closes his browser. Can this be achieved?
AFAIK all you can do is to set a session timeout variable far into the future. Sessions are automatically cleared when the browser is closed (unless you set a Remember Me type cookie). Setting it far into the future will effectively accomplish what you need to do.
How long into your session is it timing out? It should only timeout when your user is inactive for a period of time. If it times out in-between requests, and you know the timeout time has not elapsed, you have some other issues going on. What are the settings in your core.php file regarding your security levels and session timeouts?