3

I was trying to comprehend express-session from the docs and I am unable to get some points

Consider this code, which I found from a repo 

app.use(session({
  resave: true,
  saveUninitialized: true,
  secret: 'aaabbbccc',
  store: new MongoStore({
    url: MONGO_URI,
    autoReconnect: true
  })
}));

Now, I probably get what is happening here but still just to confirm

resave: true according to the doc will mean that it will force to save session back to the session even if it hasn't changed. Okay Cool? But why would someone force to save a session when it isn't changed and what difference will make it make?

saveUninitialized: true Here we are storing the session for non-logged in user as well?

And Finally if someone could explain this line of code as well (which I am unable to comprehend)

 store: new MongoStore({
        url: MONGO_URI,
        autoReconnect: true
      })

Moving on, In the above code, the author of the repo isn't storing the session in the cookie? and is just storing the cookie identifer?

And lastly, In the description they have mentioned/talked about cookie.httpOnly, cookie.expires and cookie.domain

Now, I understood their functionality but am unable comprehend their implemention, so if anyone could showcase implementation for any one of them?

anny123
  • 4,763
  • 6
  • 30
  • 72
  • 2
    For resave option, check out : https://stackoverflow.com/questions/40381401/when-use-saveuninitialized-and-resave-in-express-session – SanSolo Dec 13 '18 at 04:22

1 Answers1

4

These are my understandings. I might be wrong.

  1. May be resave is used for certain storage driver to keep session alive!? I don't have anything in mind right now.
  2. saveUninitialized is true means, a session will always be created. Experiment: Create a simple express server. Configure express-session and keep that value true. Don't create any session manually. Hit any endpoint of your server from browser. Open developer options and look for cookies. You will see a cookie has generated. Now, remove the cookie. Change the value to false and hit the endpoint again. No cookie will generate this time.
  3. If you don't mention any store then all sessions will be stored in MemoryStore which is build only for development purpose. So in production you should always use some sort of persistent storage. There are a good numbers of storage options available.
Shihab
  • 2,283
  • 2
  • 12
  • 26