Node.js Express sessions


I’m working with express-sessions right now and I’m concerned about a few things.

I have made a “remember me” checkbox and I was wondering if what I’m doing on the backend is correct?
The code from the backend:

const postLogin = (req, res, next) => {
  passport.authenticate("local", {
    successRedirect: "/account",
    failureRedirect: "/login",
    failureFlash: true
  })(req, res, next);
  if(req.body.remember_me) {
    req.session.cookie.maxAge = 30 * 24 * 60 * 60 * 1000; // 30 days
  } else {
    req.session.cookie.expires = false;

It seems to work without any issues, but I’m unsure if this is the correct and secure way of doing it or if there’s a better way to do it?

Also if a someone visits the login page and enters wrong login details and checks the “remember me” checkbox it basically extends the session of a not logged in user too, which I don’t think should happen.

Also I only want to store sessions of logged in users, but right now it stores sessions for all users even those who are not logged in or is it normal for users to have a session even the anonymous, not yet logged in users?


Yeah, it’s fine as far as security. I would recommend checking into Redis as it’ll have less boilerplate and quicker than passport. That would also remove the storing of users who are not logged in.

This is how I’m currently using it in my app:
(Note: 1. connectRedis(session): session is coming from ‘express-session’
2. new Redis() can work without process.env.REDIS_URL in development.)
Screen Shot 2021-01-14 at 12.08.30 PM

And in my resolver on the graphQL mutation:
Screen Shot 2021-01-14 at 12.07.55 PM