I'm thinking about creating session this way:
create a secure token with cryto.randomBytes then store it in cookie.
extract token from cookie when node receive a new connection, store it inside global variable GLOBAL.SESSION[token] = data
I'm stuck on step 2:
What happend if node is crashed? Do I need to store the SESSION in a file like PHP does?
If I do it my way, in order to call SESSION, I need to globalize the token too. However, it's name will be a little long. If I shorten session name via assigning GLOBAL.SESSION[token] = GLOBAL.SESSION, it will be overwritten when node receive another connection.
Should I follow this way? Or Any further ideas about this?
create a secure token with cryto.randomBytes then store it in cookie
Just once? You risk session fixation attacks.
extract token from cookie when node receive a new connection, store it inside global variable
GLOBAL.SESSION[token] = data
It's not great practice to keep things global... but that's up to you and your application structure.
What happend if node is crashed?
When your application stops running, everything you put into memory is freed. You are responsible for managing your data, and if you want it persistent, you have to make it persistent by writing to disk, a database, etc.
Should I follow this way?
No. Don't re-invent the wheel. You will inevitably make a security mistake along the way, and you are just creating more work for yourself.
Yes, you will need to store the session data into a persistent database, which could be anything like a flat file, SQL database, or noSQL db like mongo, couchdb, etc.
If you use node.js and express, there is a really good library called connect-session: https://github.com/expressjs/session
you can readily use instead of reinventing the wheel.