I always thought that express session information is stored in mongodb on the server side if app.use(session({store: mongoConnection})) is used.
But when I tried to retrieve a session variable set previously on server side with the first browser and I go to the next browser to get it, I can't get that variable. So eventually session variables are stored to cookies on specific browsers? Otherwise I would have gotten that variable regardless of which browser I'm using.
If so, what does that app.use mongo connection do? What is it storing?
Session data is stored on the session store. But a cookie is used to track the session ID for a given browser session. The cookie do not convey session data, just the session ID and some other information for validation purposes. The actual session data is stored on the session store and is not transmitted over the wire. Thus preventing some kind of attacks.
The cookie used to track the session is transferred from browser to server on every request during the session. Therefore you can't access session information from another browser.