51

There are two session-related middleware packages bundled with Connect/Express.

What is the difference? How do I choose?

I'm assuming that session middleware is the same as cookieSession middleware - but with an extra store mechanism.

Chenmunka
  • 685
  • 4
  • 21
  • 25
gfaceless
  • 1,529
  • 1
  • 17
  • 22

2 Answers2

53

The session middleware implements generic session functionality with in-memory storage by default. It allows you to specify other storage formats, though.

The cookieSession middleware, on the other hand, implements cookie-backed storage (that is, the entire session is serialized to the cookie, rather than just a session key. It should really only be used when session data is going to stay relatively small.

mikemaccana
  • 110,530
  • 99
  • 389
  • 494
jmar777
  • 38,796
  • 11
  • 66
  • 64
  • 2
    And, as I understand, it (cookie-session) should only be used when session data isn't sensitive. It is assumed that a user could inspect the contents of the session, but the middleware will detect when the data has been modified. – Ryan Bales Jul 10 '14 at 02:37
  • @RyanBales if the session data should be kept private then you should be using TLS, but in that case it's likely that e.g. form data should be kept private as well so you should be using TLS anyway. The default settings will keep other sites from reading these cookies. It's hard to imagine a situation in which you want to hide information about a user's session from that user, but in that case you could just encrypt the session data before storing it. – Jess Austin Oct 31 '14 at 12:05
7

Both middlewares make use of client-side cookies to maintain a user's context ie Session. The difference lies in:

  • What gets stored in the cookies, and
  • Whether server-side store is needed

The table below compares cookieSession middleware and session middleware wrt Sessions: 

+----------------+-----------------------+----------------------+
|                |   Client-side store   |   Server-side store  |
|                |        (cookie)       |  (in-memory, db ..)  |
+----------------+-----------------------+----------------------+
| Middleware     | Used?  |    Content   | Used? |    Content   |
+----------------+--------+--------------+-------+--------------+
| session        |   Yes  |  Session ID  |  Yes  | Session data |
+----------------+--------+--------------+-------+--------------+
| cookie-session |   Yes  | Session data |   No  |      N/A     |
+----------------+--------+--------------+-------+--------------+

cookieSession middleware is simpler in that it doesn't require any additional server-side store i.e the server remains entirely stateless. session middleware requires a server-side store. An obvious limitation of the default in-memory based session-store is that it doesn't work when there are multiple instances of a server; an alternative shared storage (eg, a database) will be needed in such cases, which makes it relatively complex. In general though, session middleware is more commonly used since it's more flexible (for storing sensitive data, or larger payloads etc..)

Brij
  • 93
  • 1
  • 4