I am using this module for koajs sessions.

I checked the source code but I really cannot understand it. I am trying to know where it is saving the session data, because I see no files created, and when the server is restarted the session data is still there.

I got the feeling it is saving the data in the cookie itself, then I see it creates two cookies with scrambled text.

Now, is it encoding the data in the cookie itself (unsecure) or is it saving the data on the server in a manner I do not understand yet?

According to this section of code in the koa-session library, the session data is encoded into JSON, then into base64, then attached to a cookie.

Session.prototype.save = function(){
  var ctx = this._ctx;
  var json = this.toJSON();
  var opts = ctx.sessionOptions;
  var key = ctx.sessionKey;
  // set expire into cookie value
  var maxAge = opts.maxAge || ONE_DAY;
  json._expire = maxAge + Date.now();
  json._maxAge = maxAge;
  json = encode(json);
  debug('save %s', json);
  ctx.cookies.set(key, json, opts); // <-- this is where the session is being saved
};

I did it by sending the Koa servers this.session.passport.id with the

yield this.render('template',{id: this.session.passport.id});

and created a cookie on client side where the id is stored in. When the server request the client, I send this id with the request via POST or GET what is resolved by a route:

public.get('/resource/:id',function* (){
 console.log('do stuff with your id'+this.params.id);
// for example you can check against the id of the passport user you stored in a database of logged in users ...
});

If you use the passport staff you should think about the tokens instead the id, because people could know your Facebook id. For that reason the tokens are the way you like to use for sending around.

There is a StackOverflow question what will help you to find your way: nodejs passport authentication token