Handle redirects after session expiry in ReactJS application with Node/Express backend?

Question

I am using express-session with redis-store which creates a httpOnly cookie of session details. How should I handle cookie expiry and cookie being cleared by user so that I can redirect the user back to the login page?

Here are the scenarios:

1. Cookie _session is cleared by the user.
2. Cookie _session has reached it's expiration.

So the natural response would be when the user reloads the site React should log him out. How am I supposed to handle this?

Answer 1

I'm assuming your Nodejs + Express code is a JSON API rather than serving up server-side rendered web pages. If this is the case, you should simply return an error if a request is made with an expired / non-existant session cookie. You can bundle this into a piece of middleware so you only have to write this once rather than multiple times. This middleware might return an error which indicates "invalid session" for example.

On the react side, if the specific error you've created for a bad / non-existent session cookie is returned by the API, it'll be up to your react code to decide what to do. You might choose to send the user to a page telling them they've logged out, or you might want to send them straight to a login prompt indicating that they must re-authenticate.

If the _session cookie expires, the browser will simply clear it out for you. So all you need to worry about on the API side is the cookie either not being provided, or the server side code invalidating the session somehow.

Example scenarios:

• Scenario: Session cookie is not handed up with a request (either it expired, the user cleared cookies, or a previous request told the browser to remove the cookie). Result: reject the request with an error, use that error on the frontend to re-direct the user to a login screen with a message saying "You must first log in".
• Scenario: The session has been terminated on the server side, meaning the token in the session cookie does not correspond to a valid session in the database (redis, mysql, etc). Result: return the same error as the one in the above scenario, the same result will happen and the user will be asked to login again.

As you can see, in either scenario it can be appropriate to return the same error, the frontend will interpret this error and decide how to get the user to re-authenticate (usually by redirecting the user to the login screen again).

Answer 2

app.get('*', function (request, response)  { 
   response.sendFile(path.resolve(__dirname, 'public', 'index.html')); 
});

@Elliot this is what I use for serving my React in Express. When I hit reload this call gets invoked and React loads. In API calls we have a error method. But in this there is no error method so how do I log the user out?