Cookie Session

Cookie Session

Passport knows how to serialize users, but it needs a cookie mechanism to actually store and send the session data. cookie-session handles this.

Installing cookie-session

npm install cookie-session

Setting Up in app.js

// app.js
const express = require('express');
const mongoose = require('mongoose');
const passport = require('passport');
const cookieSession = require('cookie-session');
const keys = require('./config/keys');
const authRoutes = require('./routes/auth-routes');
const passportSetup = require('./config/passport-setup');

const app = express();

app.set('view engine', 'ejs');

// Set up cookie session
app.use(cookieSession({
    maxAge: 24 * 60 * 60 * 1000, // 24 hours
    keys: [keys.session.cookieKey]
}));

// Initialize passport
app.use(passport.initialize());
app.use(passport.session());

// Routes
app.use('/auth', authRoutes);

app.get('/', function(req, res) {
    res.render('home');
});

// Connect to MongoDB then listen
mongoose.connect(keys.mongodb.dbURI, function() {
    console.log('Connected to MongoDB');
    app.listen(3000, function() {
        console.log('App listening on port 3000');
    });
});

Order Matters

// The order is critical:
1. cookieSession()         ← Creates the session
2. passport.initialize()   ← Initializes Passport
3. passport.session()      ← Connects Passport to the session

If you change the order, sessions will not work. The cookie session must exist before Passport tries to use it.

How Cookies Work

Login:
Server creates session → encrypts with cookieKey → sends as cookie to browser

Next request:
Browser sends cookie → server decrypts → deserializeUser → req.user is set

After 24 hours:
Cookie expires → user must log in again

Key Takeaways

• cookie-session stores session data in an encrypted cookie
• The keys array is used to encrypt the cookie — keep it secret
• maxAge sets how long the session lasts (in milliseconds)
• Middleware order matters: cookie-session → passport.initialize → passport.session