Geek Answers Handbook

Node Express Connect - Session Management

I wrote a session storage driver for ArangoDB for ConnectJS. It works, although it's still very alpha, but I have a couple of questions.

The first sessions that have the expires attribute "false" remain only for the duration of the user agent. I noticed that session.destroy () is not being called when the browser window closes. This results in an “abandoned” session remaining in the store. How can I clean them effectively? Is there a way to find and destroy scheduled sessions?

Secondly, I met the minimum requirements for my store of sessions, as indicated on this page: http://www.senchalabs.org/connect/session.html (closer to the bottom)

It will be receiving, installing and destroying. Two other recommended methods are length and sharpness. What exactly should these methods do? I assume that length returns the time during which the session is active? How is "clear" different from destruction? Thanks!

+8
session express connect arangodb
source share
1 answer

If you did not configure any event on the client to notify the server, the window closes, the server will not know that the session is no longer in use.

You want to mentally think of sessions as two parts. One part is the token (cookie), which is passed between the node and the browser. Secondly, the actual saving of sessions in the store (either the base MemoryStore, or Redis, or your new session store for another database). All connection session code matches each request.

  • Session cookie validation
  • If it exists, try to find it in the store.
  • Make available data from the store available for request
  • At the end of the request, update the TTL information for the cookie
  • Record the session back to the repository

Please note: if you are not using MemoryStore, node has no session data in memory other than your request. (Well, that would be in memory for a while, but would be unaccounted for and subject to garbage collection). When you think of different deployment scenarios, that makes sense.

Thus, the server-side session termination task is related to the Store itself. One of the reasons that Redis works great is that it automatically controls expiring things, which you can see connect-redis doing in its given operation :

  RedisStore.prototype.set = function(sid, sess, fn){ sid = this.prefix + sid; try { var maxAge = sess.cookie.maxAge , ttl = this.ttl , sess = JSON.stringify(sess); ttl = ttl || ('number' == typeof maxAge ? maxAge / 1000 | 0 : oneDay); debug('SETEX "%s" ttl:%s %s', sid, ttl, sess); this.client.setex(sid, ttl, sess, function(err){ err || debug('SETEX complete'); fn && fn.apply(this, arguments); }); } catch (err) { fn && fn(err); } };

You can see that it divides the TTL by 1000, because it uses seconds, not millions, to expire. The most popular MongoDB Session repository uses the same MongoDB TTL function.

So this was a long way of saying that you will either rely on your database engine to automatically end server-side sessions, or you need to implement the expiration yourself. You may have a process outside of your node application (maybe another node process) that does this, or your storage implementation may set the SetInterval task to periodically check and clean. For example, MySQL-based session storage does just that.

As for the second part of your question, what do length and clear do? The comment is correct that RedisStore does not implement them, and they can probably be ignored safely, however you can see their implementations in the source code of MemoryStore . Not too interesting.

clear frees all sessions and the callback if a callback is provided:

 MemoryStore.prototype.clear = function(fn){ this.sessions = {}; fn && fn(); };

length simply accesses the session number in the repository:

 MemoryStore.prototype.length = function(fn){ fn(null, Object.keys(this.sessions).length); };

Hope this was helpful.

+6
source share

More articles:


All Articles