Overview
Express.js uses a cookie to store a session id (with an encryption signature) in the user's browser and then, on subsequent requests, uses the value of that cookie to retrieve session information stored on the server. This server side storage can be a memory store (default) or any other store which implements the required methods (like connect-redis).
Details
Express.js/Connect creates a 24-character Base64 string using utils.uid(24)
and stores it in req.sessionID
. This string is then used as the value in a cookie.
Client Side
Signed cookies are always used for sessions, so the cookie value will have the following format.
[sid].[signature]
Where [sid] is the sessionID and [signature] is generated by signing [sid] using the secret key provided when initializing the session middleware.
The signing step is done to prevent tampering. It should be computationally infeasable to modify [sid] and then recreate [signature] without knowledge of the secret key used. The session cookie is still vulnerable to theft and reuse, if no modification of [sid] is required.
The name for this cookie is
connect.sid
Server Side
If a handler occurs after the cookieParser
and session
middleware it will have access to the variable req.cookies
. This contains a JSON object whose keys are the cookie keys and values are the cookie values. This will contain a key named connect.sid
and its value will be the signed session identifier.
Here's an example of how to set up a route that will check for the existence of the session cookie on every request and print its value to the console.
app.get("/*", function(req, res, next) {
if(typeof req.cookies['connect.sid'] !== 'undefined') {
console.log(req.cookies['connect.sid']);
}
next(); // Call the next middleware
});
You'll also need to make sure the router (app.use(app.router)
) is included after cookieParser
and session
in your configure section.
The following is an example of the data stored internally by Express.js/Connect.
{
"lastAccess": 1343846924959,
"cookie": {
"originalMaxAge": 172800000,
"expires": "2012-08-03T18:48:45.144Z",
"httpOnly": true,
"path": "/"
},
"user": {
"name":"waylon",
"status":"pro"
}
}
The user
field is custom. Everything else is part of session management.
The example is from Express 2.5.