A few questions about express.cookieSession()

Question

On my node.js server (running express and socket.io), when a person connects, I add them to an array and save their location in the array into their session so each connection has access to their own information like so:

session.person_id = people.length;
session.save();
people.push(new Person());
//people[session.person_id] => Person

And the only thing that I save in the session is person_id. I have been using express.session() to handle this, which has been working fine until I started sending information to everyone who is connected at once. As I loop through their connections and get their sessions, sometimes (I can't figure out how to dupe the error) session exists but not session.person_id.

Anyways I'm hoping that by changing how I store the session, it can help me figure out my problem. So I have a few questions that I can't find answers to anywhere.

1. Where is the cookie from express.cookieSession() stored? Server-side or client-side?
2. Does express.cookieSession() allow for multiple servers running behind a load-balancer?
3. Is it possible for a user to manipulate session data when using express.cookieSession()?

Answer 1

1 - Where is the cookie from express.cookieSession() stored? Server-side or client-side?

The cookie is sent on the replies from the server, and the browser sends that cookie back with each request.

2 - Does express.cookieSession() allow for multiple servers running behind a load-balancer?

Yes, if you use a shared store (like RedisStore)

3 - Is it possible for a user to manipulate session data when using express.cookieSession()?

Not if you use signed cookies (the default for session cookies in express when you provide a secret when initializing the session.

var redis = require('redis').createClient();
app.use(express.session({
  secret: "some random string",
  store: new RedisStore({client: redis})
  }));