I want to create a login system by using the express-session module. I am not sure if I does all correct and I am confused by the secret option. My currently initalize for the express-session is this:
app.use(session({
secret: 'important',
resave: true,
saveUninitialized: true,
genid: function(req) {
return uuidv4();
}
}));
And I´ve read that the secret parameter is just for cookies (Link) but I don´t want to use cookies. I just want to use sessions.
Can I now ignore the secret parameter?
Apart from what Quentin has pointed out, if you want the secret to be kept secret (as it is an open source project and you don't want to put it in public), you can use an environment variable.
This should solve your problem:
secret: process.env.MY_SECRET || "secret"
If the environment variable is set, its value will be used. Else, the string "secret" will be used.
As this is an important field, that the users should set it, you can later check if the environment variable is set or not and warn the users accordingly.