Hey,
I’m working with express-sessions right now and I’m concerned about a few things.
I have made a “remember me” checkbox and I was wondering if what I’m doing on the backend is correct?
The code from the backend:
const postLogin = (req, res, next) => {
passport.authenticate("local", {
successRedirect: "/account",
failureRedirect: "/login",
failureFlash: true
})(req, res, next);
if(req.body.remember_me) {
req.session.cookie.maxAge = 30 * 24 * 60 * 60 * 1000; // 30 days
} else {
req.session.cookie.expires = false;
}
}
It seems to work without any issues, but I’m unsure if this is the correct and secure way of doing it or if there’s a better way to do it?
Also if a someone visits the login page and enters wrong login details and checks the “remember me” checkbox it basically extends the session of a not logged in user too, which I don’t think should happen.
Also I only want to store sessions of logged in users, but right now it stores sessions for all users even those who are not logged in or is it normal for users to have a session even the anonymous, not yet logged in users?
Thanks.