I'm going through this short tutorial on sessions in Express using express.cookieParser and express.session:
app.use(express.cookieParser());
app.use(express.session({secret: '1234567890QWERTY'}));
There's this passage:
Sessions are accessible through the request object in each route. You can get and set
properties just like you would when handling an object normally. For example, lets set
some session data in the awesome route.
app.get('/awesome', function(req, res) {
req.session.lastPage = '/awesome';
res.send('Your Awesome.');
});
Two questions:
The session referred to in req.sesssion is a cookie that was sent to the client, that contains a sessionID created by node/express, and now it's getting sent back with the get request. Is this correct?
So then in the res, this session object is automatically attached to the res and then sent back, updating the client cookie?
If you're using sessions. The browser will only contain a session id in the cookie. The things you put in the req.session variable will be saved server side (or where you configured express to save it).
The session id that was set at the browser's cookie will serve as the key for the server to identify what session information to load for that browser.
Not exactly. The cookie is just a random value signed with the secret string you put in when you configure it. The actual contents of the session object (in your example, {lastPage : '/awesome'}) is stored in the session store, which you also should be configuring somewhere in your Express config. Most demo apps can get away using the default MemoryStore, but production apps always use a nonvolatile storage like RedisStore, MongoStore, etc.