What is the difference between 'session' and 'cookieSession' middleware in Connect/Express?

Question

There are two session-related middlewares bundled with Connect/Express. What is the difference? How do I choose?

I\'m assuming that session middleware is the same as coo

Answer 1

Both middlewares make use of client-side cookies to maintain a user's context ie Session. The difference lies in:

• What gets stored in the cookies, and
• Whether server-side store is needed

The table below compares cookieSession middleware and session middleware wrt Sessions:

+----------------+-----------------------+----------------------+
|                |   Client-side store   |   Server-side store  |
|                |        (cookie)       |  (in-memory, db ..)  |
+----------------+-----------------------+----------------------+
| Middleware     | Used?  |    Content   | Used? |    Content   |
+----------------+--------+--------------+-------+--------------+
| session        |   Yes  |  Session ID  |  Yes  | Session data |
+----------------+--------+--------------+-------+--------------+
| cookie-session |   Yes  | Session data |   No  |      N/A     |
+----------------+--------+--------------+-------+--------------+

cookieSession middleware is simpler in that it doesn't require any additional server-side store i.e the server remains entirely stateless. session middleware requires a server-side store. An obvious limitation of the default in-memory based session-store is that it doesn't work when there are multiple instances of a server; an alternative shared storage (eg, a database) will be needed in such cases, which makes it relatively complex. In general though, session middleware is more commonly used since it's more flexible (for storing sensitive data, or larger payloads etc..)

Answer 2

The session middleware implements generic session functionality with in-memory storage by default. It allows you to specify other storage formats, though.

The cookieSession middleware, on the other hand, implements cookie-backed storage (that is, the entire session is serialized to the cookie, rather than just a session key. It should really only be used when session data is going to stay relatively small.