express-session
HTTP session middleware for Express.js. Manages server-side sessions: creates a session identifier, stores it in a signed cookie, and provides req.session for storing user state server-side. The session store is pluggable — defaults to in-memory (not for production), with adapters for Redis (connect-redis), MongoDB (connect-mongo), PostgreSQL, and more. The standard approach for cookie-session-based auth in traditional Express web applications.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Session cookies must use HttpOnly, Secure, and SameSite flags for security. Secret rotation requires care to avoid invalidating all sessions. MemoryStore is a security risk in production (not shared, leaks memory).
⚡ Reliability
Best When
You're building a traditional server-rendered Express.js web application that needs user sessions with server-side state storage.
Avoid When
You're building a stateless REST API or need to scale horizontally without a shared session store — use JWT instead.
Use Cases
- • Implement user login sessions in Express.js web applications with server-side session storage
- • Persist authentication state across requests using session cookies with req.session.userId = user.id pattern
- • Store shopping cart, multi-step form state, or user preferences server-side without JWT overhead
- • Use Redis as production session store with connect-redis for scalable multi-instance session sharing
- • Implement flash messages (one-time session notifications) using req.session.flash for Express.js MPA apps
Not For
- • Stateless API authentication — use JWT/Bearer tokens for stateless REST APIs; sessions require server-side state
- • Mobile app authentication — cookies don't work naturally in native mobile; use JWT
- • Microservice authentication — sessions require a shared store across services; JWT is better for distributed auth
Interface
Authentication
Session middleware itself requires a secret for cookie signing. Session auth state is managed by application code (e.g., req.session.userId). Use express-session with passport for full auth.
Pricing
Fully free, MIT licensed. Production session store (Redis) has its own costs.
Agent Metadata
Known Gotchas
- ⚠ Default MemoryStore is NOT for production — it leaks memory and doesn't share across processes; always configure a persistent store (connect-redis, connect-mongo) in production
- ⚠ secret option must be a cryptographically strong random string — weak or predictable secrets allow session cookie forgery attacks
- ⚠ saveUninitialized: false recommended — prevents creating sessions for every request including bots and crawlers, reducing session store load
- ⚠ resave: false recommended with stores that support touch() — prevents unnecessary session re-saves on every request; check store's touch() support
- ⚠ Session.destroy() is async — must await session.destroy() before redirecting on logout; synchronous code after destroy may execute before session is cleared
- ⚠ HTTPS + secure: true required for production — session cookies must be Secure flag in production; non-HTTPS cookies can be stolen via network interception
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for express-session.
Scores are editorial opinions as of 2026-03-06.