To secure sessions against impersonation, it's important to impose expiration timeouts. One of them is inactivity or idle timeout whereby if the user remains idle for a given time period, their session autoexpires. If they remain active however, their session expiry rolls over on each request.

While useful for most websites for keeping users signed in, this has an interesting implication. If the user continues to ping the server periodically, they can prolong their session indefinitely. If you'd like to read more, I first reported this behavior in expresssession repo https://github.com/expressjs/session/... To circumvent this issue, we need to impose an absolute timeout.

With the absolute timeout, the session expires after a fixed period of time regardless of whether the user is still active or not. While it may hinder user experience, absolute timeout is nonetheless recommended by OWASP to minimize the risk of session hijacking https://github.com/OWASP/CheatSheetSe...

In expresssession, there is a pending PR to implement max duration on sessions https://github.com/expressjs/session/... It's been open since mid 2018 however, so it probably won't be soon until it's merged. In the meantime, we can implement a fairly straightforward homegrown solution by simply keeping track of the session creation date. We'll explore this approach in detail in this video.

GitHub repo https://github.com/alex996/nodeauth