Can someone tell me if this observation is valid?

[ORESoftware]

http://stackoverflow.com/questions/33852793/passport-token-auth-without-database-session/34958643#34958643

It seems to me that expressSession sessions get lost if the server restarts, but cookieSession sessions remain even if the server restarts. Is that correct and if so why is that? thanks

[dougwilson]

Hi @ORESoftware,

The observation is correct, for the most part. The short answer is because that's how the two modules are designed: express-session is server-side sessions while cookie-session is client-side sessions.

What does this mean?

Server-side sessions are sessions where the contents of the session are stored on the server-side. Where you store this is typically in a database or other storage mechanism. If you are using the memory of your Node.js web application as the storage location, then yes, restarting that server process will loose all sessions. The way this works is that each session is stored on the server with a unique identifier. A cookie is then sent on the user's web browser that is just this unique identifier.

Client-side sessions are sessions where the contents of the session are stored on the client itself. Rather than the value of the cookie just being a unique identifier, the value is the actual contents of the session, meaning that there is no aspect of the session actually stored on the server (so-called stateless sessions).

There are of course pros/cons to each approach, which is why the two mechanisms exist. There are many resources out there that describe in details these pros/cons, so I won't get into extreme detail here, but a few highlights:

• Client-side sessions are "heavy", as the client will transmit the entire contents of the session in an HTTP header with every request. HTTP headers cannot even be compressed in HTTP/1, so this is even heavier than one may realize. A server-side session, on the other hand, only sends a small unique identifier string in the header of every request.
• Server-side sessions can store a lot of data, since the data is not transferred back and forth. In fact, the value of a cookie has a max value, just under 4kb. More at https://github.com/expressjs/cookie-session#max-cookie-size
• Server-side sessions allow for revocation, where a user can invalidate sessions in other browsers, for example, since the source of truth for the sessions is on the server and under the control of the server.

The two modules give a choice between the two, and both have valid use-cases. For example, a client-side session can be good if the session does not contain much data, rarely changes, and there is no need to know what sessions are out in the wild (for tracking, listing, revocation, etc.).

I hope this helps! Let me know if you have any additional questions :)

[ORESoftware]

that definitely helps thanks a ton for info

[ORESoftware]

one more question - can the docs explain what the keys are ?

app.use(cookieSession({
    name: 'lectal-cookie1',
    keys: ['key1', 'key2']
}));

the docs don't seem to explain what these keys are about

[dougwilson]

Hi! There is the documentation section regarding keys https://github.com/expressjs/cookie-session#keys but I understand it can use a bit more information (noted & tracking in the existing issue #43).

Can you help me by telling me does the current documentation in that section not help? Does it make you ask a specific question, and if so, what is that question(s)?