Cookie should expire immediately when session is destroyed

[JamesMGreene]

I believe that the session cookie should be forced to immediately expire when the session is destroyed (i.e. when the user logs out) on the server-side.

While the Session Store I am using is correctly handling this such that a subsequent request from the same client would create a new cookie/session, having the existing cookie for the now-destroyed session be forcibly expired keeps things much cleaner and clearer on the client-side.

Doing so also avoids wasting some bytes on the network bandwidth of every outgoing request from the client by not including the irrelevant cookie. If the session has been destroyed but the cookie's normal expiration date has not yet been reached, this can contribute an undesirable amount of unnecessary upload bytes incurred from the client's outgoing requests due to always being required to include that irrelevant cookie in the Cookie header until it naturally expires.

When combined with my changes in PR #240 to fix the interaction between rolling: true and saveUnitialized: false, fixing this would keep things significantly cleaner on the client-side.

[JamesMGreene]

@dougwilson: Perhaps this should only be the expected behavior if the cookie would've been updated normally anyway, e.g. if the rolling: true option was enabled.

[dougwilson]

I think this idea makes sense. My only thought is if it should be configurable or not. I would assume that no one would be using the session ID from the cookie to mean something after the session gets destroyed, but not 100% sure (crazy hacks at times, I'm sure).

[JamesMGreene]

@dougwilson:

I'm fine proceeding any which way:

1. the state of the current PR where it is just the new default behavior to always update the cookie upon session termination,
2. only update the cookie upon session termination if rolling: true is set, or
3. adding some new configuration option to control whether the cookie is updated upon session termination.

Just advise me of which and I'll happily update the PR accordingly (if not Option 1). Thanks!

[dougwilson]

Hi @JamesMGreene , nothing to change currently. I want option # 1 like you implemented, as I think it makes the most sense. I'm just doing some digging real quick to make sure there is no obvious reason # 1 can't go forward :)

[JamesMGreene]

👍

[JamesMGreene]

@dougwilson: Have you given this any further thought yet? No worries if not. 🎄 ⛄

[dougwilson]

I'm so sorry I've let this hang like this on you. I did look and I didn't see any reason why we won't add this as the default behavior. The only edge case I saw was a user calling destroy and then regenerate in the same request. Just glancing at the changeset, it looks like this should be handled, but if you also wanted to give a look over for that edge case, that'd be awesome.

I'll make sure this gets released in a version Friday or Saturday.

[JamesMGreene]

The only edge case I saw was a user calling destroy and then regenerate in the same request. Just glancing at the changeset, it looks like this should be handled, but if you also wanted to give a look over for that edge case, that'd be awesome.

I'm not necessarily familiar with this case but I'd be happy to look into it if you can maybe point me to an existing test that exercises this functionality and provide some guidance as to the expected behavior in this new scenario.

Don't fret about the delay, your turnaround is still very quick compared to that of my own championed open source projects, and we are on a holiday break at work right now anyway. 😄

[JamesMGreene]

@dougwilson Ping-a-ling-a-ling. 😊

I would love to get this change integrated this week, if possible, as we are shipping a new release next week. ❤️

[dougwilson]

Hi @JamesMGreene , sorry! So what I was talking about was the .destroy (https://github.com/expressjs/session#sessiondestroy) and the .regenerate (https://github.com/expressjs/session#sessionregenerate) APIs we provide. I haven't gotten around to testing it out myself yet. If you want to try/add a test to the PR for it, that would be awesome!

Essentially the following, given a cookie on the request that represents an existing session, should work correctly by still setting a cookie, but of course it would just have a new ID:

app.use(function (req, res, next) {
  req.session.destroy(function (err) {
    if (err) return next(err)
    req.session.regenerate(function (err) {
      if (err) return next(err)
      req.session.now = Date.now()
      res.end()
    })
  })
})