How do sessions work in Express.js with Node.js?

by

Overview

Express.js uses a cookie to store a session id (with an encryption signature) in the user’s browser and then, on subsequent requests, uses the value of that cookie to retrieve session information stored on the server. This server side storage can be a memory store (default) or any other store which implements the required methods (like connect-redis).

Details

Express.js/Connect creates a 24-character Base64 string using utils.uid(24) and stores it in req.sessionID. This string is then used as the value in a cookie.

Client Side

Signed cookies are always used for sessions, so the cookie value will have the following format.

[sid].[signature]

Where [sid] is the sessionID and [signature] is generated by signing [sid] using the secret key provided when initializing the session middleware.
The signing step is done to prevent tampering. It should be computationally infeasable to modify [sid] and then recreate [signature] without knowledge of the secret key used. The session cookie is still vulnerable to theft and reuse, if no modification of [sid] is required.

The name for this cookie is

connect.sid

Server Side

If a handler occurs after the cookieParser and session middleware it will have access to the variable req.cookies. This contains a JSON object whose keys are the cookie keys and values are the cookie values. This will contain a key named connect.sid and its value will be the signed session identifier.

Here’s an example of how to set up a route that will check for the existence of the session cookie on every request and print its value to the console.

app.get("/*", function(req, res, next) {

    if(typeof req.cookies['connect.sid'] !== 'undefined') {
        console.log(req.cookies['connect.sid']);
    }

    next(); // Call the next middleware
});

You’ll also need to make sure the router (app.use(app.router)) is included after cookieParser and session in your configure section.

The following is an example of the data stored internally by Express.js/Connect.

{
  "lastAccess": 1343846924959,
  "cookie": {
    "originalMaxAge": 172800000,
    "expires": "2012-08-03T18:48:45.144Z",
    "httpOnly": true,
    "path": "https://stackoverflow.com/"
  },
  "user": { 
    "name":"waylon",
    "status":"pro"
  }
}

The user field is custom. Everything else is part of session management.

The example is from Express 2.5.

More Related Contents:

  1. Make Axios send cookies in its requests automatically
  2. How to send flash messages in Express 4.0?
  3. Sessions won’t save in Node.js without req.session.save()
  4. Writing to files in Node.js
  5. How to access the request body when POSTing using Node.js and Express?
  6. How to enable cors nodejs with express?
  7. How to get a URL parameter in Express?
  8. Failed to load c++ bson extension
  9. Function to convert timestamp to human date in javascript [duplicate]
  10. Rest with Express.js nested router
  11. Nodejs express and promises not doing what I expect
  12. How can I set response header on express.js assets
  13. UnhandledPromiseRejectionWarning: MongooseServerSelectionError
  14. What does “./bin/www” do in Express 4.x?
  15. Express js form data
  16. Running multiple Node (Express) apps on same port
  17. Node + Express with static HTML. How to route all requests to index.html?
  18. Accessing EJS variable in Javascript logic
  19. res.sendfile in Node Express with passing data along
  20. Accessing Express.js local variables in client side JavaScript
  21. Node.js request CERT_HAS_EXPIRED
  22. Node.js / Express.js – How to override/intercept res.render function?
  23. configure node express to serve static bower_components?
  24. require(‘babel/register’) doesn’t work
  25. Calling Express Route internally from inside NodeJS
  26. Express: Setting content-type based on path/file?
  27. Cookies Only set in Chrome – not set in Safari, Mobile Chrome, or Mobile Safari
  28. How to generate unique ID with node.js
  29. How can I use webpack with express?
  30. Node.js passing parameters to client via express render

Leave a Comment