Comments (4)
Hi @ORESoftware,
The observation is correct, for the most part. The short answer is because that's how the two modules are designed: express-session
is server-side sessions while cookie-session
is client-side sessions.
What does this mean?
Server-side sessions are sessions where the contents of the session are stored on the server-side. Where you store this is typically in a database or other storage mechanism. If you are using the memory of your Node.js web application as the storage location, then yes, restarting that server process will loose all sessions. The way this works is that each session is stored on the server with a unique identifier. A cookie is then sent on the user's web browser that is just this unique identifier.
Client-side sessions are sessions where the contents of the session are stored on the client itself. Rather than the value of the cookie just being a unique identifier, the value is the actual contents of the session, meaning that there is no aspect of the session actually stored on the server (so-called stateless sessions).
There are of course pros/cons to each approach, which is why the two mechanisms exist. There are many resources out there that describe in details these pros/cons, so I won't get into extreme detail here, but a few highlights:
- Client-side sessions are "heavy", as the client will transmit the entire contents of the session in an HTTP header with every request. HTTP headers cannot even be compressed in HTTP/1, so this is even heavier than one may realize. A server-side session, on the other hand, only sends a small unique identifier string in the header of every request.
- Server-side sessions can store a lot of data, since the data is not transferred back and forth. In fact, the value of a cookie has a max value, just under 4kb. More at https://github.com/expressjs/cookie-session#max-cookie-size
- Server-side sessions allow for revocation, where a user can invalidate sessions in other browsers, for example, since the source of truth for the sessions is on the server and under the control of the server.
The two modules give a choice between the two, and both have valid use-cases. For example, a client-side session can be good if the session does not contain much data, rarely changes, and there is no need to know what sessions are out in the wild (for tracking, listing, revocation, etc.).
I hope this helps! Let me know if you have any additional questions :)
from cookie-session.
that definitely helps thanks a ton for info
from cookie-session.
one more question - can the docs explain what the keys are ?
app.use(cookieSession({
name: 'lectal-cookie1',
keys: ['key1', 'key2']
}));
the docs don't seem to explain what these keys are about
from cookie-session.
Hi! There is the documentation section regarding keys https://github.com/expressjs/cookie-session#keys but I understand it can use a bit more information (noted & tracking in the existing issue #43).
Can you help me by telling me does the current documentation in that section not help? Does it make you ask a specific question, and if so, what is that question(s)?
from cookie-session.
Related Issues (20)
- Session does not get stored if keys is not an array HOT 3
- What am I doing wrong? [question] HOT 1
- Clearing session does not remove cookies HOT 8
- Generating unique session.sig after logout/login HOT 3
- Use cookie-session as non middleware HOT 2
- Not working with axios (chrome) but working with Postman HOT 10
- Document: Ambiguity in Signature Documentation HOT 4
- sameSite no longer defaults to 'None' when undefined HOT 4
- session cookie value is exceedingly long and fails Set-Cookie with invalid syntax HOT 2
- secureProxy option to be able to use with non-Express servers behind SSL proxy HOT 1
- Suggestion: a custom name instead of req.session HOT 2
- Update dependency from [email protected] to [email protected] HOT 3
- Is there a risk when someone modifies the userId in the cookie? HOT 2
- Session cookie not sent over from server when using Firefox HOT 4
- Problem using with passport 0.6.0: session.regenerate is not a function HOT 7
- flag Priority=High
- encrypt cookies
- The link to a list of browser cookie limits is dead
- Larger cookies with compression
- cookie options not being set
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cookie-session.