Those cryptic Session attributes
When you’re creating a new session in Express, what do the keys in the session object mean?
app.use(session( {
secret: 'snapcracklepop',
resave: false,
saveUninitialized: true
}));secret
Documentation: This is the secret used to sign the session ID cookie.
In short, the encryption key.
resave
Documentation: Forces the session to be saved back to the session store, even if the session was never modified during the request.
Was the session updated in any way or not? Rather than checking for when the user comes back, it re-saves the session whenever you make a change. Why would we ever want resave set to false? Some session stores will delete old sessions unless they have been changed, so if we’re not using a session store that would delete all sessions, we don’t need to resave.
saveUninitialized
Documentation: Forces a session that is “uninitialized” to be saved to the store. A session is uninitialized when it is new but not modified.
Middleware will run for every request. Sessions are being created for every single request, whether the user is logged in or logged out. This could be a completely useless session — why create a session if the user won’t log in? In this case, we are saving it as a true. That means we can go back and look up the session for a particular user, even if they have not been logged in.
