What is the real FUNCTIONALITY of secret option in express-session?

It says here that it is used to SIGN the session ID in the cookie. And here are my questions:

  1. By SIGNING, does it mean that it is just to tell the browser who the true sender of the cookie is?
  2. If it means encrypt session ID in the cookie instead, is this secret key used to prevent session hijacking? If yes, how? Or what security benefit does it provide?

I think hacker can just steal the encrypted cookie data when we send it to the server, and pretends to be us. My opinion here is based on this post. So I’m not sure if it is valid for expressjs as well.

Not sure I have an answer to your question but I think the second comment to the accepted answer in the thread you linked to might be the reason, i.e. if the id was generated using a non cryptographically safe generator.

Here is a related issue from the repo

BTW, the README in the repo has a bit more info than the npmjs page does (secret).