I have been reading up a little on the source for Connect and Express of how session is managed. I am still learning the basics on sessions but I do not understand how the memory is handled.
I know that the server holds the session data in memory and uses a session id to access the data. The server sends the cookie (I am guessing session cookie?) that holds the id and when the user accesses the site, the session is used again.
This is a silly question but my question is how does the memory get managed say if the user deletes his cookies or expires without renewing the session timeout? Does the data stay in memory forever?
Edit: I just looked at PHP and other languages and saw documentation of how they clean up sessions. It seems they have a garbage collector (scans and deletes expired sessions). Does Connect/Express have this functionality?
The Connect MemoryStore (the default session storage module for the Session middleware) will not garbage-collect expired sessions. It only checks their expiration when they are accessed (at which point it will delete the storage if the session is expired), so if the user clears their cookies, the session will never be accessed again, and will never expire from the MemoryStore. Hence the warning at the Session middleware docs that MemoryStore shouldn't be used in production.
Connect does not provide other session storage modules and expects you to supply your own, building on the abstract Store module included with the Session middleware.