Those cryptic Session attributes

Adrienne Tran
Jul 25, 2017 · 1 min read

When you’re creating a new session in Express, what do the keys in the session object mean?

app.use(session( {
secret: 'snapcracklepop',
resave: false,
saveUninitialized: true
}));

secret

Documentation: This is the secret used to sign the session ID cookie.

In short, the encryption key.

resave

Documentation: Forces the session to be saved back to the session store, even if the session was never modified during the request.

Was the session updated in any way or not? Rather than checking for when the user comes back, it re-saves the session whenever you make a change. Why would we ever want resave set to false? Some session stores will delete old sessions unless they have been changed, so if we’re not using a session store that would delete all sessions, we don’t need to resave.

saveUninitialized

Documentation: Forces a session that is “uninitialized” to be saved to the store. A session is uninitialized when it is new but not modified.

Middleware will run for every request. Sessions are being created for every single request, whether the user is logged in or logged out. This could be a completely useless session — why create a session if the user won’t log in? In this case, we are saving it as a true. That means we can go back and look up the session for a particular user, even if they have not been logged in.

Product @ Tesla. Ex-Google, Ex-Bridgewater.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade