ERR invalid expire time in set

We’re getting the ERR invalid expire time in set error and having some trouble resolving it.

Running latest versions of all modules
Resave, rolling, and saveUninitialized are false.
No ttl is explicitly set (see below).
Cookie’s maxAge is set to 14 days

The ERR invalid expire time in set begins to happens exactly 14 days (the maxAge) after the session was created.

I included some code below to illustrate our connect-redis and express-session config.

const session = require('express-session');
const RedisStore = require('connect-redis')(session);
const redis = require('redis');
const redisClient = redis.createClient(...);
const store = new RedisStore({ client: redisClient });

app.use(
  session({
      secret: 'secret here',
      store: store,
      resave: false,
      rolling: false,
      saveUninitialized: false,
      proxy: true,
      name: 'xyz',
      cookie: {
        maxAge: 1000 * 60 * 60 * 24 * 14,
        path: '/',
        secure: true,
        httpOnly: true,
      },
    });
);

We have an API that modifies and saves the session…

req.session.someData = '123';
req.session.save((err) => {
  if (err) {
    return res.status(400).json({});
  }
 res.status(200).json({});
});

The above code in our controller throws the ERR invalid expire time in set error when attempting to save the session exactly 14 days (same as maxAge) after the session was created.

I also noticed that, when the request completes with the 400 error as shown above, there’s a Set-Cookie header on the 400 response with an Expires date equal to 14 days in the future. However, if we add console.log(req.session.cookie._expires) right before req.session.save(), the date that’s logged is the (correct) date, which is 14 days after the session was first created (yet, on the response, the expires in Set-Cookie is 14 days in the future).

If I’m understanding the internal workings of connect-redis and express-session correctly, with the above configuration, a session created should be valid for only 14 days (and the cookie should also expires after 14 days. Is this incorrect, seeing that the Set-Cookie header on the response is giving the cookie a new expires of 14 days in the future whenever the session data is changed?

If you could help understand what might be happening here, it would be greatly appreciated! Our solution as of now is to rotate the cookie name every 13 days to force all users to login again, thereby creating a new session (which works, until 14 days later when the issue reoccurs).

Issue Analytics

State:
Created 4 years ago
Comments:11

Top GitHub Comments

2reactions

vrg-successcommented, Dec 29, 2020

I spend 48 hours, to get the error in production server, but the ease to fix!! You just don’t need set maxAge or expired cookie in initialization session, you must set maxAge or expired in controller your app, for example:

app.use(
  session({
    store: new RedisStoreSession({ client: redisClient }),
    secret: process.env.SESSION_SECRET,
    cookie: {
      secure: process.env.NODE_ENV === 'production',
      httpOnly: true,
    },
    name: process.env.SESSION_COOKIE_NAME,
    resave: false,
    rolling: true,
    saveUninitialized: false,
  })
);

export async function usersLoginController(
  req: Request,
  res: Response,
  next: NextFunction
): Promise<Response | void> {
  req.session.cookie.expires = addDays(new Date(), 1);

  res.status(200).json({ csrfToken: req.session.csrfToken });
}

And yes, that was stupid from me, set expired cookie date in initialization… 😄

1reaction

patoncommented, Jan 21, 2020

Thanks @wavded. I really appreciate the quick response on this thread and also the other one. It’s very much appreciated.