Secure Session Implementation - possible confusion

asaldivar

Hello,

in section '06. Cookies and Sessions' -> 'Best Practices and Attack Prevention' -> 'Sessions: Server-Side State Management' -> 'Secure Session Implementation', there is the following code:

if (!session) {
    // This is an invalid session ID
    res.redirect('/login');
    return;
  }

  // Update last active timestamp
  session.lastActive = Date.now();

  // Check session age
  const sessionAge = Date.now() - session.lastActive;
  if (sessionAge > 30 * 24 * 60 * 60 * 1000) { // 30 days
    SESSIONS.delete(sessionId);
    res.clearCookie('sessionId');
    res.redirect('/login');
    return;
  }

I think it might confuse someone, updates lastActive before checking age and session would never be deleted by age.