I am looking at an auth application using express and flash messages using the 'connect-flash' middleware.
According to connect-flash:
The flash is a special area of the session used for storing messages. Messages are written to the flash and cleared after being displayed to the user. The flash is typically used in combination with redirects, ensuring that the message is available to the next page that is to be rendered. Flash messages are stored in the session. First, setup sessions as usual by enabling cookieParser and session middleware. Then, use flash middleware provided by connect-flash.
Why is the flash message stored in the session? would that not increase the size of the cookie and wouldn't be bad as too much memory space could be used?
Why is the flash message stored in the session?
Because connect-flash needs a way to propagate the flash messages between requests, and session storage is a useful method of doing that.
Would that not increase the size of the cookie?
Not generally, no. A session cookie contains a single piece of information, the session id. Using that id, the session data is looked up from the session storage, which is usually a database of some sorts. So the cookie size remains the same regardless of how much data gets stored in the session. However, the session storage will increase in size, but that's usually not a big problem.
A notable exception to the statement above is if you're using something like cookie-session, which stores the entire session data in the cookie itself (therefore not requiring a separate session storage to be set up).