diff --git a/HISTORY.md b/HISTORY.md index 238498ec..fe50c562 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,6 +1,15 @@ unreleased ========== +## ⚠️ BREAKING CHANGES + + * Change `saveUninitialized` option default from `true` to `false` + - New sessions are no longer saved to the store (nor a cookie set) unless modified + during the request; pass `saveUninitialized: true` to restore the previous behavior + - The deprecation warning for omitting this option has been removed + +## Other changes + * Replace `uid-safe` dependency with built-in `crypto.randomBytes` for session ID generation - Session IDs keep the same format as before (32-character base64url strings) diff --git a/README.md b/README.md index 1e30b86b..2ef9558f 100644 --- a/README.md +++ b/README.md @@ -289,9 +289,9 @@ laws that require permission before setting a cookie. Choosing `false` will also help with race conditions where a client makes multiple parallel requests without a session. -The default value is `true`, but using the default has been deprecated, as the -default will change in the future. Please research into this setting and -choose what is appropriate to your use-case. +The default value is `false`. Set this to `true` if you need every new session +to be saved to the store even when not modified, such as tracking anonymous +visitors. **Note** if you are using Session in conjunction with PassportJS, Passport will add an empty Passport object to the session for use after a user is diff --git a/index.js b/index.js index c61dce0a..f16d589a 100644 --- a/index.js +++ b/index.js @@ -16,7 +16,6 @@ var cookie = require('cookie'); var crypto = require('crypto') var debug = require('debug')('express-session'); -var deprecate = require('depd')('express-session'); var onHeaders = require('on-headers') var parseUrl = require('parseurl'); var signature = require('cookie-signature') @@ -111,8 +110,7 @@ function session(options) { } if (saveUninitializedSession === undefined) { - deprecate('undefined saveUninitialized option; provide saveUninitialized option'); - saveUninitializedSession = true; + saveUninitializedSession = false; } if (opts.unset && opts.unset !== 'destroy' && opts.unset !== 'keep') { diff --git a/package.json b/package.json index f8b18235..ae2fff44 100644 --- a/package.json +++ b/package.json @@ -13,7 +13,6 @@ "cookie": "1.1.1", "cookie-signature": "1.0.7", "debug": "4.4.3", - "depd": "~2.0.0", "on-headers": "~1.0.2", "parseurl": "~1.3.3" }, diff --git a/test/session.js b/test/session.js index 1e851dcd..2b8a312f 100644 --- a/test/session.js +++ b/test/session.js @@ -1091,15 +1091,15 @@ describe('session()', function(){ }); describe('saveUninitialized option', function(){ - it('should default to true', function(done){ + it('should default to false', function(done){ var store = new session.MemoryStore() - var server = createServer({ store: store }) + var server = createServer({ store: store, saveUninitialized: undefined }) request(server) .get('/') - .expect(shouldSetSessionInStore(store)) - .expect(shouldSetCookie('connect.sid')) - .expect(200, done); + .expect(shouldNotSetSessionInStore(store)) + .expect(shouldNotHaveHeader('Set-Cookie')) + .expect(200, done) }); it('should force save of uninitialized session', function(done){ @@ -2403,6 +2403,10 @@ function createSession(opts) { options.secret = 'keyboard cat' } + if (!('saveUninitialized' in options)) { + options.saveUninitialized = true + } + return session(options) }