What is the secret key in express-session?

Hi could someone explaing to me what exactly is the express-session secret key and what is its funcionality?

app.use(session({
  secret: process.env.SESSION_SECRET,
}))

SESSION_SECRET is an environment variable: assigning it to the secret parameter allows express-session to use it to encrypt the sessionId if i am not mistaken.
Probably you’d have it defined in an external file (i.e. a .env file for a node project) but you can set it in other ways.

Here the parameter explanation from npmjs : express-session - #secret
Here a random medium article on environment variables: Node.js Everywhere with Environment Variables!

3 Likes

Ok, thanks but how does it is exactly “work”? Shouldn’t it be different secret key for every other user? How does it work under the hood?

Shouldn’t it be different secret key for every other user?

Actually i think it has to be different among applications, but each one must use one secret( or few, always a limited number of known possibilites) to encrypt the sessionsId.

If it would be different, randomly generated maybe, for each user, then express couldn’t know which one of the generated keys to use to decrypt the session (aside from the performance problems).

How does it work under the hood?

Mh, to be honest i’m not able to answer this question :confused:

2 Likes

Here you go:

2 Likes

So, if I understand correctly, it’s used by the application to encrypt everything within the app. You can set it to any string you want as long as you keep this string away from the eyes of any user. I used an random password generator to make my secret (is that the right thing to do?)