Sessions in parse-server doesn't seem to work the way I expected sessions to work

[asdf01]

Hello Parse-Server elders

How are parse-server Sessions meant to work?

The way I thought Sessions work is that there is a timeout and a limit on the max session length. A timeout would be set to something like 30m, so if a client doesn't communicate with the server using the sessionToken at least once every 30m, then the session would timeout and the sessionToken would no longer be usable.

But if the client does communicate using the sessionToken continuously, then they can communicate with the server up to a max session length, e.g. 8 hours or something.

However in parse-server there seems to only be a single sessionLength property. When you communicate with the server using the sessionToken, the expiresAt value doesn't seem to be updated. So parse-server's sessionLength is what I have been referring to in my example as "max session length" is that right?

The concept of the shorter timeout to verify the health of the client isn't present in parse-server is that right?

Thanks

[wookiem]

I too couldn't find anything in the documentation. However, I did find a response on this topic from @flovilmart in serverfault (see link below). The guidance is as follows:

When creating a new instance of ParseServer pass: expireInactiveSessions: true alongside the options. You can configure the sessionLength too (in seconds)

http://serverfault.com/questions/787470/implement-expire-inactive-session-feature-in-parse-server

I haven't tried it out yet, but I hope to do so this week.

[hramos]

Hey, thanks for reporting this issue.

Can you please add all the info specified in the template? This is necessary for people to be able to understand and reproduce the issue being reported.

[simonaberry]

I have a similar requirement (managing sessions across multiple tabs) and have been doing investigation into the matter. It appears that the expireInactiveSessions flag is defaulted to trueand ensures that the sessionLengthproperty is executed (ie your max session length).

I therefore think we would need to implement our own solution, and have conceptually come up with the following approach:

Principle of Operation

• every time a tab closes, notify any other tabs via localStorage and tell the server to expire the session in 60s
• everytime a tab detects that a sibling tab has been closed, tell the server not to expire the session

client:

On application start :

• check if logged in (Parse.User.current()), if not redirect to login
• write token to localstorage (IAmLoggedIn)
• register an eventListener on window.onbeforeunload [triggers when closing tab or refreshing page]
• register an eventListener on storage [triggers when data added to/removed from localStorage]
• add code to gracefully handle 209 (session has expired) errors
• run PleaseDontCloseSession() cloud function // sets session expiry to 30 days from now

OnBeforeUnload: [tab closing/refreshing]

• delete IAmLoggedIn token from localStorage
• run IAmEndingMySession() cloud code function // sets session expiry to 60s from now

OnStorage [localStorage changed]

• if event.key === IAmLoggedIn && newValue === null -> run PleaseDontCloseSession() cloud function after a short delay // this should only trigger if another tab deleted the IAmLoggedIn token

server:

IAmEndingMySession() cloud function

• fetch session and set ExpiresAt to 60s from now

PleaseDontCloseSession() cloud function

• fetch session and set ExpiresAt to 30 days from now

any feedback on the idea is appreciated (especially @flovilmart) - will report back once we have implemented...

[simonaberry]

for anyone who reads this later... problem with the above approach is you cannot modify expiresAt - it is a read only field

so have to create your own timesOutAt field and use a background job to delete any 'timedout' sessions