What is the session's "secret" option?

node.js session connect
Harry picture Harry · Mar 17, 2011 · Viewed 61.5k times · Source

I don't know anything about cryptography. I'm wondering what the session secret is.

I see code like this:

app.use(express.session({
  store: mongoStore({
    url: app.set('db-uri')
  }),
  secret: 'topsecret'
}));

What is the secret and should I change it?

Answer

Hacknightly picture Hacknightly · Mar 17, 2011

Yes, you should change it. A session secret in connect is simply used to compute the hash. Without the string, access to the session would essentially be "denied". Take a look at the connect docs, that should help a little bit.

Related questions

Change cookie expiration in Express

Because I didn't define a maxAge when calling expressServer.use(express.session({params})) the cookie's expiration is set as "Session". I would like to add a "remember me" feature when logging in. If "remember me" is selected, the expiration will …

Read More
What's difference with express-session and cookie-session?

I am new with Express. As Express 4.x has removed bundled middlewares. Any middleware I want to use should be required. When I read the README with express-session and cookie-session on github, I feel it hard to understand the difference. …

Read More
Node.js server restart drops the sessions

I'm having fully functional user signup/authentication system using express and connect middleware. app.use(express.session({store: require('connect').session.MemoryStore( {reapInterval: 60000 * 10} ) })) The only problem is that sessions drop every time you perform server restart. https://github.com/remy/…

Read More