NodeJs express-session options

Question

I want to create a login system by using the express-session module. I am not sure if I does all correct and I am confused by the secret option. My currently initalize for the express-session is this:

app.use(session({
   secret: 'important',
   resave: true,
   saveUninitialized: true,
   genid: function(req) {
       return uuidv4();
   }
}));

And I´ve read that the secret parameter is just for cookies ( Link ) but I don´t want to use cookies. I just want to use sessions.

Can I now ignore the secret parameter?

Answer 1

Apart from what Quentin has pointed out , if you want the secret to be kept secret (as it is an open source project and you don't want to put it in public), you can use an environment variable.

This should solve your problem:

secret: process.env.MY_SECRET || "secret"

If the environment variable is set, its value will be used. Else, the string "secret" will be used.

As this is an important field, that the users should set it, you can later check if the environment variable is set or not and warn the users accordingly.

Answer 2

Short answer: No. You need to use cookies.

---

When you store a data in a session, it is put in a storage area on the server that is associated with an identifier that represents the user.

When the browser makes a request to the server, the server needs some way to tell which storage area to use. It does this by putting the identifier in a cookie and giving it to the browser (which then includes it in each subsequent request until the browser is closed).

---

If you really, really don't want to use cookies, then you would have to use some other mechanism to include the token in every request from the browser such as putting it in every URL. This is what PHP does if you use trans_sid … and is considered a bad idea:

URL based session management has additional security risks compared to cookie based session management.