Session-only cookie for Express.js

Question

http://www.javascriptkit.com/javatutors/cookie.shtml

Session-only cookies, on the other hand, stores information in the browser memory, and is available for the duration of the browser session. In other words, the data stored inside a session cookie is available from the time of storage until the browser is closed. Moving from page to page during this time does not erase the data.

How can I achieve this using Express.js?

Answer 1

I know this is an old question but I'm adding an answer since all answers here seem to be either outdated, have security flaws or are just plain wrong.

As of now, express uses the MemoryStore by default, you don't need to explicitly handle that.

Also, as of now, the express-session's official readme page has a stark warning at the beginning to not use MemoryStore as the session store for production, quoting:

Warning The default server-side session storage, MemoryStore, is purposely not designed for a production environment. It will leak memory under most conditions, does not scale past a single process, and is meant for debugging and developing.
For a list of stores, see compatible session stores.

Here's a simple solution with connect-mongodb-session if you want to use MongoDBStore for session storage:

import express from 'express';
import session from 'express-session';
import ConnectMongoDbSession from 'connect-mongodb-session';

const app = express();
app.use(express.urlencoded({ extended: true }));
app.use(express.json());
app.use(session({
  secret: < COOKIE_SECRET >,
  name: 'sessionId', // Don't use the default name, see http://expressjs.com/en/advanced/best-practice-security.html
  cookie: {
    httpOnly: true,
    secure: true, // Remove this if you're not using HTTPS, but it will be a massive security flaw
    sameSite: 'strict',
  },
  store: getStore(),

  // Boilerplate options, see:
  // * https://www.npmjs.com/package/express-session#resave
  // * https://www.npmjs.com/package/express-session#saveuninitialized
  resave: true,
  saveUninitialized: true,
}));

function getStore() {
  const MongoDBStore = ConnectMongoDbSession(session);

  const store = new MongoDBStore({
    uri: < DATABASE_URI >,
    collection: < SESSION_COLLECTION_NAME >,
    connectionOptions: {
      useNewUrlParser: true,
      useUnifiedTopology: true,
    },
  });

  store.on('error', (error: any) => {
    console.error(error);
  });

  return store;
}

Answer 2

First off, that website is a horrible place to go.

Now on to the question.

What sessions actually are:

• Data is stored on the server side.
• A cookie is issued which contains an ID.
• This ID gets send back to the server on every request, due to the fact that the browser sends the cookies.
• Now the server can re-associate the ID in the cookie - commonly called Session ID or short SID - with the session data stored on the server.

Express.js has support for sessions built in.

What the example shows:

• Setting up the Express.js middleware
• Using a third-party store for saving the session data, in this case Redis (which IMO is overkill for your problem atm)

Installing Redis requires quite some work, but it's also possible to use Express.js's built-in memory store:

var express = require('express');
var app = express.createServer();

var MemoryStore = require('connect/middleware/session/memory');
app.use(express.bodyDecoder());
app.use(express.cookieDecoder());
app.use(express.session({ store: new MemoryStore({ reapInterval: 60000 * 10 }) }));

app.get('/', function(req, res){
    req.session.visitCount = req.session.visitCount ? req.session.visitCount + 1 : 1;
    res.send('You have visited this page ' + req.session.visitCount + ' times');
});

app.listen(4000);

This will simply keep track of how many times you visited the page, closed your browser and re-opend. The counts will still be there.

You can find more on the options of the MemoryStore, like maximum life time of a session, etc. here.

Answer 3

Below is the updated code for Alfred's answer (session using Express.js).

    var express = require('express');
    var app = express.createServer();

    var MemoryStore = require('/home/node/node_modules/connect/lib/middleware/session/memory');
    app.use(express.bodyParser());
    app.use(express.cookieParser());
    app.use(express.session({
        key: 'some-key',
        secret: 'some-We1rD sEEEEEcret!',
        store: new MemoryStore({ reapInterval: 60000 * 10 })
    }));

   app.get('/', function(req, res) {
       req.session.visitCount = req.session.visitCount ? req.session.visitCount + 1 : 1;
       res.send('You have visited this page ' + req.session.visitCount + ' times');
   });

   app.listen(4000);

Answer 4

The following is what I wanted (sort of). When I close browser the information is gone.

var express = require('express');
var app = express.createServer();

var MemoryStore = require('connect/middleware/session/memory');
app.use(express.bodyDecoder());
app.use(express.cookieDecoder());

app.get('/remember', function(req, res) {
    res.cookie('rememberme', 'yes', { expires: new Date() - 1, httpOnly: true });
});

app.get('/', function(req, res){
    res.send('remember: ' + req.cookies.rememberme);
});

app.listen(4000, '127.0.0.1');

Answer 5

app.use(express.session({cookie: { path: '/', httpOnly: true, maxAge: null }, secret:'eeuqram'}));

The above works on IE8, Firefox and Chrome. The important piece is maxAge:null

Answer 6

app.get('/remember', function(req, res) {
   res.cookie('rememberme', 'yes', { expires: 0, httpOnly: true });
 });

This will set session cookie. On browser close it will be erased!