From 19332d833d56c5651886d72169f4228bbf0031eb Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Sun, 5 Jul 2026 22:44:05 -0500 Subject: [PATCH 1/2] feat: change default value of unset option from 'keep' to 'destroy' in session middleware --- HISTORY.md | 6 ++++++ README.md | 2 +- index.js | 3 +-- test/session.js | 4 ++-- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 238498ec..ca079c7a 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,6 +1,12 @@ unreleased ========== +## ⚠️ BREAKING CHANGES + + * Change `unset` option default from `'keep'` to `'destroy'` + - Sessions unset via `req.session = null` (or `delete`) are now deleted from the store + when the response ends; pass `unset: 'keep'` to restore the previous behavior + * Replace `uid-safe` dependency with built-in `crypto.randomBytes` for session ID generation - Session IDs keep the same format as before (32-character base64url strings) diff --git a/README.md b/README.md index 1e30b86b..10fd2483 100644 --- a/README.md +++ b/README.md @@ -335,7 +335,7 @@ The session store instance, defaults to a new `MemoryStore` instance. Control the result of unsetting `req.session` (through `delete`, setting to `null`, etc.). -The default value is `'keep'`. +The default value is `'destroy'`. - `'destroy'` The session will be destroyed (deleted) when the response ends. - `'keep'` The session in the store will be kept, but modifications made during diff --git a/index.js b/index.js index c61dce0a..b260ae20 100644 --- a/index.js +++ b/index.js @@ -119,8 +119,7 @@ function session(options) { throw new TypeError('unset option must be "destroy" or "keep"'); } - // TODO: switch to "destroy" on next major - var unsetDestroy = opts.unset === 'destroy' + var unsetDestroy = opts.unset !== 'keep' if (Array.isArray(secrets) && secrets.length === 0) { throw new TypeError('secret option array must contain one or more strings'); diff --git a/test/session.js b/test/session.js index 1e851dcd..afe5ec5c 100644 --- a/test/session.js +++ b/test/session.js @@ -1301,7 +1301,7 @@ describe('session()', function(){ assert.throws(session.bind(null, { unset: 'bogus!' }), /unset.*must/) }); - it('should default to keep', function(done){ + it('should default to destroy', function(done){ var store = new session.MemoryStore(); var server = createServer({ store: store }, function (req, res) { req.session.count = req.session.count || 0 @@ -1324,7 +1324,7 @@ describe('session()', function(){ if (err) return done(err); store.length(function(err, len){ if (err) return done(err); - assert.strictEqual(len, 1) + assert.strictEqual(len, 0) done(); }); }); From e4acf37f756f7f85f099b3ec6c882ea91b74d15c Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Sun, 5 Jul 2026 22:45:19 -0500 Subject: [PATCH 2/2] docs: improve --- HISTORY.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/HISTORY.md b/HISTORY.md index ca079c7a..32cf4110 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -7,6 +7,8 @@ unreleased - Sessions unset via `req.session = null` (or `delete`) are now deleted from the store when the response ends; pass `unset: 'keep'` to restore the previous behavior +## Other changes + * Replace `uid-safe` dependency with built-in `crypto.randomBytes` for session ID generation - Session IDs keep the same format as before (32-character base64url strings)