Expire cookie immediately upon destroying session#242
Conversation
9de1f74 to
7603648
Compare
|
@dougwilson: I'm sure you're day-job-and-open-source-swamped like the rest of us but if there is any chance of getting PR #240 and this PR merged and released within the next 2 weeks or so, my team and I would appreciate it! 👍 💝 |
|
Hi James, sorry I haven't been on a computer since you made this. I will look at this pull request as soon as I can. I cannot comment on when this pull request would be accepted, because I need to understand first what the pull requests does and understand if this is a desired feature, if there are edges cases, etc. I know you feel like it is a bug, but I need to look at it more, as to me, if feels like either a bug or a new feature. |
|
Sounds good, @dougwilson. Thanks! 👍 If you do end up feeling it is a new feature and would rather implement it as an option rather than as the new default behavior, I'd be fine with refactoring it to work as such if you give me a bit of design suggestion/guidance on how you'd like it to work. I'll keep an eye out for any feedback requiring changes on my part. 👀 |
|
@dougwilson: As mentioned in the issue (#241):
|
fe14c14 to
f0acf18
Compare
|
@dougwilson: If there is any chance of this being merged and released before Monday, I'd 💛 you for it. |
|
Hi @JamesMGreene , I'm sorry, I really wanted to (even did a few commits to this repo tonight, yay!) get this done tonight, before Monday for you. I just didn't get to, but what I did do is at least published the changes to npm that we had so far, and then I really want to get this change done on Monday for you. |
|
@dougwilson: If it makes it in this week, I can probably still pull it into our release branch. Monday would be best if possible so I can just get it into the mainline branch, though. 👍 |
|
Yea, I'm working on it. Just looked at it and there are all kinds of nits, like the function in |
|
And a reassignment of an argument, which results in a v8 de-opt. |
|
Hi! It seems like if a user calls var app = express()
.use(session({ secret: 'keyboard cat', cookie: { maxAge: 86400000 } }))
.use(function(req, res, next){
req.session.count = req.session.count || 0;
req.session.count++;
if (req.session.count === 2) {
req.session.destroy(function(err) {
if (err) return next(err);
res.end();
});
} else {
res.end();
}
}); |
There was a problem hiding this comment.
Can you move this to be alphabetical within all these functions while you're working on the destroy issue?
|
Hi @JamesMGreene , I'm not in a rush, but I know you seemed to be, so I just wanted to put a note here just in case you missed my comment in #242 (comment) |
|
Thanks, @dougwilson. You caught me in the thralls of our busy release sprint, so I didn't have any time to address this. I should be able to take a look this week. I'm OK with this change not going out with our next release; my PR #240 being merged into |
f0acf18 to
73bdaf9
Compare
@dougwilson: Can you fill me in more on this comment? |
73bdaf9 to
c19c384
Compare
Working through this issue now. |
c19c384 to
ad8c8b8
Compare
|
Alright, so the problem with when the user calls // Is this an existing session that is being destroyed?
var isBeingDestroyed = !!cookieId && shouldDestroy(req);Reminder of current // determine if session should be destroyed
function shouldDestroy(req) {
return req.sessionID && unsetDestroy && req.session == null;
}@dougwilson et al: Any advice on how to workaround this situation? P.S. Note that if you do set the |
ad8c8b8 to
4deb197
Compare
|
Hi @JamesMGreene, sorry I didn't reply right away; I was just trying to focus on pushing out Express 4.14 :) So I think that that is probably just not a full understanding of the current code, that that's OK! At least how it is designed right now, the |
|
OK, gotcha @dougwilson. I'll look into that further. |
4deb197 to
756301a
Compare
|
@dougwilson: Finally found a bit of time to dig into this further and get it all working. Please re-review the new version when you get a chance. Thanks! |
|
Hi @JamesMGreene , it looks like the last commit was Dec 10, 2015. Is that the most recent version? |
756301a to
c9102e4
Compare
|
@dougwilson: No, sorry, that was because I did a |
|
gently pokes @dougwilson No rush but a gentle reminder. :) |
|
@JamesMGreene You'll need to clean up re. the conflict 👍 |
c9102e4 to
f0cec99
Compare
f0cec99 to
0616699
Compare
|
Rebased and dealt with merge conflicts again. 👍 |
|
|
||
| // check if session has been or is being destroyed | ||
| function isBeingDestroyed(req) { | ||
| return req.sessionID && req.session == null; |
There was a problem hiding this comment.
Should this check that unsetDestroy is true here? That option is what makes the unsetting of req.session actually mean the session is to be destroyed, otherwise it does nothing.
There was a problem hiding this comment.
Hmm, if I add that check here, the tests don't pass any longer, but if I don't add the check, then req.session = null will destroy the cookie even if the user doesn't want req.session = null to destroy the session...
There was a problem hiding this comment.
Hmm, sounds like I must need another unit test for that last condition you mentioned. I'll take a peek when I get a chance.
| .get('/') | ||
| .expect(shouldNotHaveHeader('Set-Cookie')) | ||
| .expect(200, function(err, res){ | ||
| if (err) return done(err); |
There was a problem hiding this comment.
Looks like a bunch of accidental changes here with the formatting; I can fix, but figured I'd comment here in case you had to make a change from the question above.
There was a problem hiding this comment.
Yeah, that doesn't surprise me too much as it seemed like someone changed the test code style (e.g. to be semi-colon-less) in the time since my initial PR submission. I'll try to clean them up when I make my updates.
| assert.ok(delta <= 0) | ||
|
|
||
| delta = b.valueOf() - now.valueOf() | ||
| assert.ok(delta <= 0) |
There was a problem hiding this comment.
There is a shouldSetCookieToExpireIn helper that could probably be used here if you want.
There was a problem hiding this comment.
Thanks for letting me know. I'll take a peek and see if/where it makes sense to use.
|
Hi @JamesMGreene , I know it has been a long time. I let these PRs just sit and I'm trying to make it right by getting them all merged in. I went and rebased all your changes, and even made the adjustments I noted above. It doesn't seem like I'm able to push to your fork, though. If you haven't already done so, checking off the allow on the right hand side (https://help.github.com/en/articles/allowing-changes-to-a-pull-request-branch-created-from-a-fork) would allow me to push up the changes + rebase and then merge the pull request. But this is not a requirement to land your changes, it just will make the PR show as "merged" instead of "closed". If you're no longer around to do so / don't want to / whatever, it's no big deal. I will plan to merge it within a couple weeks if I don't hear back. |
9d2e29b to
408229e
Compare
|
closes in favor of #1138 |
Force an existing session's cookie to expire immediately upon destroying the session.
Fixes #241.