What is the difference between 'session' and 'cookieSession' middleware in Connect/Express?

Asked 1/4, 2013 at 14:0 Answered 20/5, 2016 at 6:55

Solved node.js express session middleware node.js-connect

There are two session-related middleware packages bundled with Connect/Express.

What is the difference? How do I choose?

I'm assuming that session middleware is the same as cookieSession middleware - but with an extra store mechanism.

Ingenuous answered 1/4, 2013 at 14:0 Comment(1)

Both your links are to same same page – Hel 1/4, 2013 at 14:8

The session middleware implements generic session functionality with in-memory storage by default. It allows you to specify other storage formats, though.

The cookieSession middleware, on the other hand, implements cookie-backed storage (that is, the entire session is serialized to the cookie, rather than just a session key. It should really only be used when session data is going to stay relatively small.

Clementeclementi answered 1/4, 2013 at 14:14 Comment(2)

And, as I understand, it (cookie-session) should only be used when session data isn't sensitive. It is assumed that a user could inspect the contents of the session, but the middleware will detect when the data has been modified. – Adna 10/7, 2014 at 2:37

@RyanBales if the session data should be kept private then you should be using TLS, but in that case it's likely that e.g. form data should be kept private as well so you should be using TLS anyway. The default settings will keep other sites from reading these cookies. It's hard to imagine a situation in which you want to hide information about a user's session from that user, but in that case you could just encrypt the session data before storing it. – Canaigre 31/10, 2014 at 12:5

Both middlewares make use of client-side cookies to maintain a user's context ie Session. The difference lies in:

What gets stored in the cookies, and
Whether server-side store is needed

The table below compares cookieSession middleware and session middleware wrt Sessions:

+----------------+-----------------------+----------------------+
|                |   Client-side store   |   Server-side store  |
|                |        (cookie)       |  (in-memory, db ..)  |
+----------------+-----------------------+----------------------+
| Middleware     | Used?  |    Content   | Used? |    Content   |
+----------------+--------+--------------+-------+--------------+
| session        |   Yes  |  Session ID  |  Yes  | Session data |
+----------------+--------+--------------+-------+--------------+
| cookie-session |   Yes  | Session data |   No  |      N/A     |
+----------------+--------+--------------+-------+--------------+

cookieSession middleware is simpler in that it doesn't require any additional server-side store i.e the server remains entirely stateless. session middleware requires a server-side store. An obvious limitation of the default in-memory based session-store is that it doesn't work when there are multiple instances of a server; an alternative shared storage (eg, a database) will be needed in such cases, which makes it relatively complex. In general though, session middleware is more commonly used since it's more flexible (for storing sensitive data, or larger payloads etc..)

Claque answered 20/5, 2016 at 6:55 Comment(0)

Recommended topics

Hot tags