Confused about nodejs (and the Passport middleware) sessions

Question

Super simple question that I'm having trouble wrapping my head around.

When using sessions with nodejs, are the sessions stored in the users browser? Or are the sessions stored on the server?

For example, if I'm using the express-session or passport.session(), where are these session cookies stored?

Answer 1

As @robertklep mentioned, sessions (in the way you're using them) are stored on the client, but only contain a session ID. When your request hits the web server, it'll then look up the session ID to grab the account from some sort of database / cache, then use it for the remainder of the request lifecycle.

If you're interested on learning more about this, you might want to check out this screencast I made a while ago which covers exactly how cookies work, and why -- as well as how to store them securely: https://www.youtube.com/watch?v=yvviEA1pOXw

Furthermore, if you're looking to build a site that doesn't use 'typical' server-side sessions, and works with modern client-side front-end web frameworks like Angular.js / React.js / etc., you might want to investigate JSON Web Tokens (JWTs). These tokens allow you to create 'dumb' cookies that don't require a database lookup on the server, and can speed up your web apps / API services pretty dramatically: https://stormpath.com/blog/build-secure-user-interfaces-using-jwts/

Hope this helps!

Answer 2

The fine manual states:

Note Session data is not saved in the cookie itself, just the session ID. Session data is stored server-side.

express-session sends a cookie to the browser (which stores it), which contains a unique session id. The data itself is stored on the server (depending on which session store you use, this can be in memory, Redis, MongoDB, ...).

The session id in the cookie is merely used as a key to look up the actual data in the session store.