Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions HISTORY.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,15 @@
unreleased
==========

## ⚠️ BREAKING CHANGES

* Change `saveUninitialized` option default from `true` to `false`
- New sessions are no longer saved to the store (nor a cookie set) unless modified
during the request; pass `saveUninitialized: true` to restore the previous behavior
- The deprecation warning for omitting this option has been removed

## Other changes

* Replace `uid-safe` dependency with built-in `crypto.randomBytes` for session ID generation
- Session IDs keep the same format as before (32-character base64url strings)

Expand Down
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -289,9 +289,9 @@ laws that require permission before setting a cookie. Choosing `false` will also
help with race conditions where a client makes multiple parallel requests
without a session.

The default value is `true`, but using the default has been deprecated, as the
default will change in the future. Please research into this setting and
choose what is appropriate to your use-case.
The default value is `false`. Set this to `true` if you need every new session
to be saved to the store even when not modified, such as tracking anonymous
visitors.

**Note** if you are using Session in conjunction with PassportJS, Passport
will add an empty Passport object to the session for use after a user is
Expand Down
4 changes: 1 addition & 3 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
var cookie = require('cookie');
var crypto = require('crypto')
var debug = require('debug')('express-session');
var deprecate = require('depd')('express-session');
var onHeaders = require('on-headers')
var parseUrl = require('parseurl');
var signature = require('cookie-signature')
Expand Down Expand Up @@ -111,8 +110,7 @@ function session(options) {
}

if (saveUninitializedSession === undefined) {
deprecate('undefined saveUninitialized option; provide saveUninitialized option');
saveUninitializedSession = true;
saveUninitializedSession = false;
}

if (opts.unset && opts.unset !== 'destroy' && opts.unset !== 'keep') {
Expand Down
1 change: 0 additions & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
"cookie": "1.1.1",
"cookie-signature": "1.0.7",
"debug": "4.4.3",
"depd": "~2.0.0",
"on-headers": "~1.0.2",
"parseurl": "~1.3.3"
},
Expand Down
14 changes: 9 additions & 5 deletions test/session.js
Original file line number Diff line number Diff line change
Expand Up @@ -1091,15 +1091,15 @@ describe('session()', function(){
});

describe('saveUninitialized option', function(){
it('should default to true', function(done){
it('should default to false', function(done){
var store = new session.MemoryStore()
var server = createServer({ store: store })
var server = createServer({ store: store, saveUninitialized: undefined })

request(server)
.get('/')
.expect(shouldSetSessionInStore(store))
.expect(shouldSetCookie('connect.sid'))
.expect(200, done);
.expect(shouldNotSetSessionInStore(store))
.expect(shouldNotHaveHeader('Set-Cookie'))
.expect(200, done)
});

it('should force save of uninitialized session', function(done){
Expand Down Expand Up @@ -2403,6 +2403,10 @@ function createSession(opts) {
options.secret = 'keyboard cat'
}

if (!('saveUninitialized' in options)) {
options.saveUninitialized = true
}

return session(options)
}

Expand Down
Loading