The docs say it should be secret, but my code is published on github.
Would app.use(express.cookieParser(crypto.randomBytes(64).toString())) work, or should the secret be the same when the server restarts? Should I store the secret on disk? How secret does it need to be?
It should be the same if you want to keep sessions after a restart. The secret is used to validate the session data on server to prevent malformed cookie data. Maybe you can write your random data into a file and read the secret from file on app start and if file exists you dont create a new random key.
To keep your secret secret, you can set it in an environment variable (called 'COOKIE_SECRET' for example) and then you can do:
var cookieSecret = process.env.COOKIE_SECRET;
app.use(express.cookieParser( cookieSecret ));
(Or if you would like a more sophisticated config setup, you might like to take a look at nconf. It unifies configuration across environment variables, command-line arguments and flat files).
Secret is used to parse and match session cookie. If you are changing it after restart, then it will make previous sessions void as cookie will not be valid with new secret.
Still, in case if cookies were stolen, you might consider of changing secret, which sort of protects you. It is not good practice to store secret anywhere apart of place where it is needed. Same with any secrets and salts, as access to them is not good for your security.