Persistent user sessions in node.js using Google Authentication

Question

I followed a tutorial to include Google authentication for my web application using the passport-google-oauth module. The server.js file has the following lines of code:

app.use(express.session({ secret: 'victoriassecret' })); // session secret
app.use(passport.initialize());
app.use(passport.session()); // persistent login sessions

In addition, I find that the application automatically logs the user out after some time. Passport is configured in a separate file that is imported in server.js. Is there some way I can increase the time before the user is logged out, or even better, not log him out until he clicks on the logout button? Also, what is the session secret?

Answer 1

1) You can define the maximum life-time of a session cookie ( and concurrently the time before a user is automatically logged out ) using the maxAge option of the cookie parameter like this :

app.use(expressSession({ cookie: {maxAge: 10000} , secret: 'victoriassecret'}));   

According to this maxAge value ( 10000 ) the cookie's maximum life-time will be 10.000ms(10 sec). (obviously you need a much bigger value than this)

Thus,you can increase the maxAge value in order to suit your needs and make sure user does not get logged out until he decides so, pressing the Logout button.

2) The session secret is a random string used to hash the session with HMAC ( more on HMAC : here ) in order to protect the session from being highjacked.