Let the Session Die, aka Set a Time-to-Live
The MemoryStore session by default has no termination dateâmeaning if a user is signed in, then in theory, the user remains signed in forever. Since the default cookie expiration is undefined, forever in this case means as long as the browser is open. Without expiration information, the cookie gets deleted only if the browser closes.
The RedisStore implementation has a default Time-to-Live (TTL) of one day, which is a lot better but still not good enough. If you log into some website, say your bank, and move away from the computer, then itâs bad if an hour later someone else can come along and still access your account. The OWASP recommendation is that session timeout be no longer than five minutes ...
Get Secure Your Node.js Web Application now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
