Authentication in Node.js - #9 Session Timeout

To secure sessions against impersonation, it's important to impose expiration timeouts. One of them is inactivity or idle timeout whereby if the user remains idle for a given time period, their session auto-expires. If they remain active however, their session expiry rolls over on each request.

While useful for most websites for keeping users signed in, this has an interesting implication. If the user continues to ping the server periodically, they can prolong their session indefinitely. If you'd like to read more, I first reported this behavior in express-session repo https://github.com/expressjs/session/issues/624 To circumvent this issue, we need to impose an absolute timeout.

With the absolute timeout, the session expires after a fixed period of time regardless of whether the user is still active or not. While it may hinder user experience, absolute timeout is nonetheless recommended by OWASP to minimize the risk of session hijacking https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.m #absolute-timeout

In express-session, there is a pending PR to implement max duration on sessions https://github.com/expressjs/session/pull/595 It's been open since mid 2018 however, so it probably won't be soon until it's merged. In the meantime, we can implement a fairly straightforward home-grown solution by simply keeping track of the session creation date. We'll explore this approach in detail in this video.

GitHub repo https://github.com/alex996/node-auth