express-session 모듈 옵션

express-session

express-session 공식문서에서 신경써서 봐야할 부분을 따로 발췌한 포스팅

session 스프린트의 코드와 비교하면서 보기

express-session
NPM Version NPM Downloads Build Status Test Coverage

Installation
This is a Node.js module available through the npm registry. Installation is done using the npm install command:

$ npm install express-session
API
var session = require('express-session')
session(options)
Create a session middleware with the given options.

Note Session data is not saved in the cookie itself, just the session ID. Session data is stored server-side.

Note Since version 1.5.0, the cookie-parser middleware no longer needs to be used for this module to work. This module now directly reads and writes cookies on req/res.

• 기본 쿠키 옵션 (나머지 옵션 및 설정들은 들어가서 보자.)
  cookie
  Settings object for the session ID cookie.
  The default value is { path: '/', httpOnly: true, secure: false, maxAge: null }.

(주의) secure 옵션의 기본 값이 false로 설정되어 있다.
secure : https 프로토콜에서만 쿠키를 전송할 것인가?

• session 옵션, 쿠키 옵션 설정 방법
  app.use(session(sess))
  The cookie.secure option can also be set to the special value 'auto' to have this setting automatically match the determined security of the connection. Be careful when using this setting if the site is available both as HTTP and HTTPS, as once the cookie is set on HTTPS, it will no longer be visible over HTTP. This is useful when the Express "trust proxy" setting is properly setup to simplify development vs production configuration.

app.use(
  session({
    secret: '@sehyun',
    resave: false,
    saveUninitialized: false,
    cookie: {
      domain: 'localhost',
      path: '/',
      maxAge: 24 * 6 * 60 * 10000,
      sameSite: 'none',
      httpOnly: true,
      secure: true,
    },
  })
);

• resave
  Forces the session to be saved back to the session store, even if the session was never modified during the request. Depending on your store this may be necessary, but it can also create race conditions where a client makes two parallel requests to your server and changes made to the session in one request may get overwritten when the other request ends, even if it made no changes (this behavior also depends on what store you're using).
  
  The default value is true, but using the default has been deprecated, as the default will change in the future. Please research into this setting and choose what is appropriate to your use-case. Typically, you'll want false.
  
  
  How do I know if this is necessary for my store? The best way to know is to check with your store if it implements the touch method. If it does, then you can safely set resave: false. If it does not implement the touch method and your store sets an expiration date on stored sessions, then you likely need resave: true.

• saveUninitialized
  Forces a session that is "uninitialized" to be saved to the store. A session is uninitialized when it is new but not modified. Choosing false is useful for implementing login sessions, reducing server storage usage, or complying with laws that require permission before setting a cookie. Choosing false will also help with race conditions where a client makes multiple parallel requests without a session.
  
  
  **The default value is true, but using the default has been deprecated, as the default will change in the future. Please research into this setting and choose what is appropriate to your use-case.
  
  

• secret(Required option)
  This is the secret used to sign the session ID cookie. This can be either a string for a single secret,
  or an array of multiple secrets. If an array of secrets is provided, only the first element will be used to sign the session ID cookie, while all the elements will be considered when verifying the signature in requests.
  The secret itself should be not easily parsed by a human and would best be a random set of characters.
  
  
  A best practice may include:
  The use of environment variables to store the secret, ensuring the secret itself does not exist in your repository.
  Periodic updates of the secret, while ensuring the previous secret is in the array.
  Using a secret that cannot be guessed will reduce the ability to hijack a session to only guessing the session ID (as determined by the genid option).
  
  
  Changing the secret value will invalidate all existing sessions. In order to rotate the secret without invalidating sessions, provide an array of secrets, with the new secret as first element of the array, and including previous secrets as the later elements.
  
  

• req.session.id
  Each session has a unique ID associated with it. This property is an alias of req.sessionID and cannot be modified. It has been added to make the session ID accessible from the session object.

• req.session.cookie
  Each session has a unique cookie object accompany it. This allows you to alter the session cookie per visitor. For example we can set req.session.cookie.expires to false to enable the cookie to remain for only the duration of the user-agent.

• req.sessionID
  To get the ID of the loaded session, access the request property req.sessionID. This is simply a read-only value set when a session is loaded/created.
  
  
  Session Store Implementation
  Every session store must be an EventEmitter and implement specific methods. The following methods are the list of required, recommended, and optional.
  
  
  Required methods are ones that this module will always call on the store.
  Recommended methods are ones that this module will call on the store if available.
  Optional methods are ones this module does not call at all, but helps present uniform stores to users.
  For an example implementation view the connect-redis repo.

• store.destroy(sid, callback) (Required)
  This required method is used to destroy/delete a session from the store given a session ID (sid). The callback should be called as callback(error) once the session is destroyed.

• store.get(sid, callback) (Required)
  This required method is used to get a session from the store given a session ID (sid). The callback should be called as callback(error, session).
  
  
  The session argument should be a session if found, otherwise null or undefined if the session was not found (and there was no error). A special case is made when error.code === 'ENOENT' to act like callback(null, null).