Express Session is a session middleware for Express.js applications that provides server-side session storage with configurable session ID cookies. It enables stateful user sessions with automatic session lifecycle management, built-in security features, and support for various storage backends.
npm install express-sessionconst session = require('express-session');For ES6 modules:
import session from 'express-session';Access to additional classes:
const { Store, Cookie, Session, MemoryStore } = require('express-session');const express = require('express');
const session = require('express-session');
const app = express();
// Configure session middleware
app.use(session({
secret: 'keyboard cat',
resave: false,
saveUninitialized: true,
cookie: { secure: false, maxAge: 60000 }
}));
// Use session in routes
app.get('/', (req, res) => {
if (req.session.views) {
req.session.views++;
res.send(`Number of views: ${req.session.views}`);
} else {
req.session.views = 1;
res.send('Welcome to the session demo. Refresh!');
}
});Express Session is built around several key components:
The middleware automatically handles session ID generation, cookie parsing, session loading/saving, and cleanup based on configurable options.
Core session middleware factory function with comprehensive configuration options for session behavior, cookie settings, and security features.
function session(options: SessionOptions): (req: Request, res: Response, next: NextFunction) => void;
interface SessionOptions {
secret: string | string[];
cookie?: CookieOptions;
genid?: (req: Request) => string;
name?: string;
proxy?: boolean;
resave?: boolean;
rolling?: boolean;
saveUninitialized?: boolean;
store?: Store;
unset?: 'destroy' | 'keep';
}
interface CookieOptions {
domain?: string;
expires?: Date;
httpOnly?: boolean;
maxAge?: number;
partitioned?: boolean;
path?: string;
priority?: 'low' | 'medium' | 'high';
sameSite?: boolean | 'lax' | 'strict' | 'none';
secure?: boolean | 'auto';
}Session data access and lifecycle management methods available on the request object, providing persistent storage and session control capabilities.
interface SessionData {
id: string;
cookie: Cookie;
[key: string]: any;
}
// Session lifecycle methods
req.session.regenerate(callback: (err?: Error) => void): Session;
req.session.destroy(callback: (err?: Error) => void): Session;
req.session.reload(callback: (err?: Error) => void): Session;
req.session.save(callback: (err?: Error) => void): Session;
req.session.touch(): Session;Session cookie configuration and manipulation with security features and expiration handling.
class Cookie {
constructor(options?: CookieOptions);
path: string;
maxAge: number | null;
httpOnly: boolean;
secure?: boolean;
domain?: string;
sameSite?: boolean | string;
partitioned?: boolean;
priority?: string;
expires?: Date;
originalMaxAge?: number;
serialize(name: string, val: string): string;
toJSON(): object;
readonly data: object;
}Abstract base class and interface for implementing custom session storage backends with required and optional methods.
class Store extends EventEmitter {
// Required methods
destroy(sid: string, callback: (err?: Error) => void): void;
get(sid: string, callback: (err?: Error, session?: any) => void): void;
set(sid: string, session: any, callback: (err?: Error) => void): void;
// Recommended methods
touch(sid: string, session: any, callback: (err?: Error) => void): void;
// Optional methods
all(callback: (err?: Error, sessions?: { [sid: string]: any }) => void): void;
clear(callback: (err?: Error) => void): void;
length(callback: (err?: Error, length?: number) => void): void;
// Utility methods
regenerate(req: Request, callback: (err?: Error) => void): void;
load(sid: string, callback: (err?: Error, session?: Session) => void): void;
createSession(req: Request, sess: any): Session;
}Express Session extends the Express request object with session-related properties:
interface Request {
session: SessionData;
sessionID: string;
sessionStore: Store;
}These properties are automatically added when the session middleware processes a request.