Search code examples
node.jscookiessession-cookies

What is the additional information in connect.sid cookie string apart from the session id?

I am using Node JS with express-session.

One question answered here advises to use req.cookies['connect.sid'] to get the session ID. Another answer suggests I use req.sessionID

When I compare the two the req.cookies['connect.sid'] has a string like the following:

s:G1wOJoUAhhemRQqCs7dAGlMIk5ZGaJUg.z1/HrHTfndRqKpXza8qWuwHLS067xrWfVgqTDDGYoos

req.sessionID has a string like the following:

G1wOJoUAhhemRQqCs7dAGlMIk5ZGaJUg

If the second string is the session ID (G1wOJoUAhhemRQqCs7dAGlMIk5ZGaJUg), what is the other information in the connect.sid cookie?

Tried looking for the answer via google and other websites with no luck.

Thanks,

Darren

Solution

  • express-session stores all session information server-side. If you use an sql database, you'd have a table for your sessions, that would look like this : 

                 sid                 |      sess       |     expire
R02GJn2GoyaqRyten1BEGbHa0XCbj529 | {"cookie": "originalMaxAge":null,"expires":null,"httpOnly":true,"path":"/"},"mybool":true,"userid":16}

    That's the answer to your question, and a short explanation of what the data means, sessionID is just a (primary) key to access the data that is only available server-side.

    Now from your question it looks like you're planning on using express-session wrong.

    To use express-session on your express server you would include it like so : 

    const session = require('express-session');
app.use(session({
    name : 'mycookie',
    secret : 'mysecret',
    saveUninitialized : false,
    resave : true
}));

    and every request that goes into all subsequent routes after this will have a .session attribute. In any case, you should never need to access the session id yourself, the middleware itself authenticates every request against whatever store you used for express-session.

    app.get('/givemeasession',function(req,res,next){
    req.session.mybool = true;
    req.session.somedata = 'mystring';
    req.session.evenobjects = { data : 'somedata' };
    res.send('Session set!');
});

app.get('/mysession',function(req,res,next){
    res.send('My string is '+req.session.somedata+' and my object is '+JSON.stringify(req.session.evenobjects));
});

    Bottomline : you shouldn't ever need to access the cookie yourself, or do anything with it, because any cookie auth is automatically handled by the middleware.