I am looking for some information on best practices when using the passport local strategy. I went though the local strategy example that uses an authToken, for login persistence, found on github. When speaking with a coworker, they posed the question, how is storing this token in a session cookie any more secure than storing a password because its essentially your authenticated identity on the server. So how do i answer this question? Its a green question, i admittedly dont fully understand the entire lifecycle. So how is this a safe solution when integrated with bccrypt and mongo like the example is. And if it was merely an example and not necessarily meant to show a robust solution, what are some best practices to keep our users and our application safe?
https://github.com/jaredhanson/passport-local/tree/master/examples/express3-mongoose-rememberme