more notes on session and cookies

Author: rohan-paul

MongoDB/mongo-connect-npm-package-what-it-does.md

@@ -1 +1,19 @@
-[connect-mongo](https://github.com/jdesboeufs/connect-mongo) package stores MongoDB session for Express and Connect
+### [connect-mongo](https://github.com/jdesboeufs/connect-mongo) package stores MongoDB session for Express and Connect
+
+ So, implemented sessions using Passport, but for storing sessions into my mongodb I use connect-mongo using a mongoose connection to connect to the mongodb database.
+
+Then most standard implementation code is given in the [officila doc](https://github.com/jdesboeufs/connect-mongo#express-or-connect-integration)
+
+```js
+const session = require('express-session');
+const MongoStore = require('connect-mongo')(session);
+
+app.use(session({
+    secret: 'foo',
+    store: new MongoStore({ mongooseConnection: connection })
+}));
+
+```
+connect-mongo stores sessions in the ["sessions" collection by default](https://github.com/jdesboeufs/connect-mongo/blob/bca754cc6ccded953f85ca37f647619f26b6783d/lib/connect-mongo.js#L22).
+
+https://stackoverflow.com/questions/23773537/how-are-connect-mongo-mongostore-sessions-actually-saved

Node-Express/express-session-how-it-works.md

@@ -1,3 +1,43 @@
+## What is a session?
+
+A session is a place to store data that you want access to across requests. Each user that visits your website has a unique session.  You can use sessions to store and access user data as they browse your application. Sessions are integral to web application development because they allow the application to store state. Based on what action a user took on Page A, we can show a different Page B. Without them, applications would be stateless, and not very useful.
+
+Sessions can store their information in different ways. The popular ways to store session data is:
+
+- In application memory
+- In a cookie
+- In a memory cache
+- In a database
+
+#### The module like express-session will provide you with a nice API to work with sessions (letting you get & set data to the session), but under the hood, it will save and retrieve this data using a cookie.
+
+
+### Storing Session Data in Application Memory
+
+One way to store session data is in Application memory. This is often the simplest way, but not used in production.
+
+Storing session data in application memory essentially means that the data is stored for the lifetime of your application runtime. If your web application server crashes or is stopped, all session data is removed.
+
+Storing session data in memory also causes memory leaks. As your application stays running, more and more memory is used, until your app runs out of memory.
+
+For development purposes, it is often useful to store sessions in application memory. Otherwise, there are better ways of storing session data. We’ll explore these below.
+
+### Storing Session Data in Cookies
+
+A cookie is usually a small piece of data that gets sent between a web server to your web browser. It allows the server to store information relevant to a specific user.
+
+One common use for cookies is to store session data. This works in the following way.
+
+The server issues a cookie that gets sent to the web browser and stored for a period of time (called the expiration time).
+When a user makes a subsequent request to the web server, this cookie gets sent along with the request, and the server can read the information that is in it.
+The server can manipulate the cookie if it needs to, and then sends it back to the browser.
+Until the cookie expires, every time you make a request, your browser will send the cookies back to the server.
+
+#### The module like express-session will provide you with a nice API to work with sessions (letting you get & set data to the session), but under the hood, it will save and retrieve this data using a cookie.
+
+
+
+
 ### We use sessions to maintain state between user requests and we use cookies to transport the session ID between those requests.
 
 Every user interaction with your application is an isolated and individual request and response. The need to persist information between requests is vital for maintaining the ultimate experience for the user.
@@ -8,12 +48,26 @@ So I have to securely set up sessions in my application to mitigate risks such a
 
 [express-session](https://www.npmjs.com/package/express-session) (https://github.com/expressjs/session ) - A very popular session module that has been highly vetted by the community and constantly improved.
 
+```js
+const session = require('express-session')
+const dbConnection = require('./database')
+const MongoStore = require('connect-mongo')(session)
 
+app.use(
+	session({
+		secret: 'fraggle-rock', //pick a random string to make the hash that is generated secure
+		store: new MongoStore({ mongooseConnection: dbConnection }),
+		resave: false, //required
+		saveUninitialized: false //required
+	})
+)
 
+```
 
 ## What’s Going On Here
 
-We're importing the [session function](https://github.com/expressjs/session/blob/master/session/session.js#L24) from the express-session NPM module and passing the session function a configuration object to set properties such as:
+We're importing the [session function](https://github.com/expressjs/session/blob/master/session/session.js#L24) from the express-session NPM module and passing the session function a configuration object to set properties inside the object passed to express-session. Note **express-session**, requires an object as an argument to initialize it.
+
 
 **Secret**. Required option. This is a value used in the signing of the session ID cookie, that is stored in the cookie.
 
@@ -37,9 +91,7 @@ Forces a session that is "uninitialized" to be saved to the store. A session is
 
 
 
-
-
-
 #### Good resources
  - https://dzone.com/articles/securing-nodejs-managing-sessions-in-expressjs
- -
+
+ - https://nodewebapps.com/2017/06/18/how-do-nodejs-sessions-work/