express-session

express-session is a session middleware for Express that creates server-side sessions identified by a session ID cookie sent to the client. When a user makes a request, the middleware reads the session ID from the cookie, retrieves the corresponding session data from a store, and makes it available at req.session. Session data persists across requests for the same user, enabling authentication state, shopping carts, form wizard progress, and user preferences without client-side storage. The middleware supports configurable cookie options (name, maxAge, httpOnly, secure, sameSite, domain, path), session regeneration for security (preventing session fixation attacks), and rolling sessions that reset the cookie expiration on each request. By default, express-session uses an in-memory store suitable only for development — production deployments should use persistent stores like connect-redis, connect-mongo, connect-pg-simple, or connect-session-sequelize for session data. The middleware integrates with Passport for authentication session management and supports session destruction for logout functionality. express-session is essential for traditional server-rendered applications that use cookie-based authentication, though modern SPAs often prefer stateless JWT-based approaches instead.