What is a session?

Last updated: February 8, 2026Reviewed date: February 8, 2026Reading time: 9 min read
Patient Tools

Read, save, and share this guide

Use these quick tools to make this medical article easier to read, print, save, or share with a family member.

Article Summary

The very basic steps of express-session and cookie-based session management The first time a browser makes a request to our server, express session generates a unique session id 2. saves that session id in a session cookie and passes this back to the browser. creates an empty session object, as req.session. saves the session object to the database. Now if the same browser makes another...

Key Takeaways

  • This article explains The very basic steps of express-session and cookie-based session management in simple medical language.
  • This article explains What is a session? in simple medical language.
  • This article explains What’s Going On Here in simple medical language.
Educational health guideWritten for patient understanding and clinical awareness.
Reviewed content workflowUse writer and reviewer profiles for stronger trust.
Emergency safety firstUrgent warning signs are highlighted below.

Seek urgent medical care if you notice

These warning signs are general safety guidance. Local emergency numbers and clinical judgment should always come first.

  • Severe symptoms, breathing difficulty, fainting, confusion, or rapidly worsening illness.
  • New weakness, severe pain, high fever, or symptoms after a serious injury.
  • Any symptom that feels urgent, unusual, or unsafe for the patient.
1

Emergency now

Use emergency care for severe, sudden, rapidly worsening, or life-threatening symptoms.

2

See a doctor

Book a professional medical evaluation if symptoms persist, worsen, recur often, affect daily activities, or occur in a high-risk patient.

3

Learn safely

Use this article to understand possible causes, tests, treatment options, prevention, and questions to ask your clinician.

The first time a browser makes a request to our server, express session

generates a unique session id 2. saves that session id in a session cookie and passes this back to the browser.

  1. creates an empty session object, as req.session.

  2. saves the session object to the database.

Now if the same browser makes another request, the browser sends that earlier saved cookie that contains our session id, and boom, that’s the caller id. Express session knows that browser has sent requests before.

=================================================

What is a session?

A session is a place to store data that you want have access to, across the requests between client and server. Each user that visits your website has a unique session. You can use sessions to store and access user data as they browse your application. Sessions are integral to web application development because they allow the application to store state. Based on what action a user took on Page A, we can show a different Page B. Without them, applications would be stateless, and not very useful.

Sessions can store their information in different ways. The popular ways to store session data is:

  • In application memory
  • In a cookie
  • In a memory cache
  • In a database

The module like express-session will provide you with a nice API to work with sessions (letting you get & set data to the session), but under the hood, it will save and retrieve this data using a cookie.

1. Storing Session Data in Application Memory

One way to store session data is in Application memory. This is often the simplest way, but not used in production.

Storing session data in application memory essentially means that the data is stored for the lifetime of your application runtime. If your web application server crashes or is stopped, all session data is removed. It also causes memory leaks. As your application stays running, more and more memory is used, until your app runs out of memory.

2. Storing Session Data in Cookies

A cookie is usually a small piece of data that gets sent between a web server to your web browser. It allows the server to store information relevant to a specific user.

One common use for cookies is to store session data. This works in the following way.

The server issues a cookie that gets sent to the web browser and stored for a period of time (called the expiration time). When a user makes a subsequent request to the web server, this cookie gets sent along with the request, and the server can read the information that is in it. The server can manipulate the cookie if it needs to, and then sends it back to the browser. Until the cookie expires, every time you make a request, your browser will send the cookies back to the server.

modules like express-session will provide you with a nice API to work with sessions (letting you get & set data to the session), but under the hood, it will save and retrieve this data using a cookie.

Express-session also offers ways to secure your cookies to ensure that the information inside your application cookies are not exposed.

https://github.com/expressjs/session#cookiesecure – Please note that secure: true is a recommended option. However, it requires an https-enabled website, i.e., HTTPS is necessary for secure cookies. If secure is set, and you access your site over HTTP, the cookie will not be set. If you have your node.js behind a proxy and are using secure: true, you need to set “trust proxy” in express:

var app = express()
app.set('trust proxy', 1) // trust first proxy
app.use(session({
  secret: 'keyboard cat',
  resave: false,
  saveUninitialized: true,
  cookie: { secure: true }
}))

Some drawbacks with cookies:

They can only store small bits of data, about 4KB usually. They are sent in every request, and if you store a bunch of data in a cookie, it will increase the size of the requests, which will slow down your site’s performance. If an attacker figures out how your cookies are encrypted (your secret key), then your cookies will be compromised. Attackers will then be able to read the data that is stored in the cookies, which can be sensitive user data.

3. Storing Session Data in a Memory Cache

A Memory Cache is a place where small chunks of key-value data can be stored. Popular examples of memory caches that are used to store session information are Redis and Memcached.

When storing session data in a memory cache, the server will still use a cookie, but the cookie will only contain a unique sessionId. This sessionId will be used by the server to perform a lookup against the store.

When using a memory cache, your cookie only contains a session ID. This removes the risk of private user information being exposed in the cookie.

There are some other benefits to using a memory cache to store session information.

They are normally key-value based and are very quick to perform lookups. They normally are decoupled from your application server. This decoupling reduces dependencies. A single memory store can serve many applications. They automatically manage memory by removing old session data.

However, there are some downsides to them as well:

They are another server to set up and manage. They may be overkill for small applications. Normally database stores (which we will cover next), or cookies will do the job as well. There’s no good way to reset the cache without removing all the sessions stored inside it.

4. Storing Session Data in a Database

Lastly, let’s talk about storing session data in a traditional database, like MySQL or PostgreSQL. For most cases, this works in a very similar way to storing session data in a memory store.

The session cookie still contains a sessionId. In this case, it will map to the primary key of the Session table on the database.

Some drawback of storing session in database

Retrieving data from a database is slower than a memory cache because the data is stored on disk, not on memory. You’ll be hitting your database a lot when you store your sessions there.

Additionally, you have to completely manage old sessions yourself. If you don’t get rid of old sessions, your database will be filled with thousands of unused rows.

We use sessions to maintain state between user requests and we use cookies to transport the session ID between those requests.

Every user interaction with your application is an isolated and individual request and response. The need to persist information between requests is vital for maintaining the ultimate experience for the user.

After an user has authenticated, as a developer I have to retain various personalized user information that is associated with a session as well.

So I have to securely set up sessions in my application to mitigate risks such as session hijacking. For that I have to obfuscate session ID’s, enforce a time-to-live in my sessions, set up secure cookies for transporting sessions, and finally the importance and role of Transport Layer Security (TLS) when it comes to using sessions.

express-session (https://github.com/expressjs/session ) – A very popular session module that has been highly vetted by the community and constantly improved.

const session = require('express-session')
const dbConnection = require('./database')
const MongoStore = require('connect-mongo')(session)

app.use(
	session({
		secret: 'fraggle-rock', //pick a random string to make the hash that is generated secure
		store: new MongoStore({ mongooseConnection: dbConnection }),
		resave: false, //required
		saveUninitialized: false //required
	})
)

What’s Going On Here

We’re importing the session function from the express-session NPM module and passing the session function a configuration object to set properties inside the object passed to express-session. Note express-session, requires an object as an argument to initialize it.

Secret. Required option. This is a value used in the signing of the session ID cookie, that is stored in the cookie.

This can be either a string for a single secret, or an array of multiple secrets. If an array of secrets is provided, only the first element will be used to sign the session ID cookie, while all the elements will be considered when verifying the signature in requests.

Store. I’m using MongoDB as my backend, and I want to persist the application sessions in my database, so I am using the connect-mongo NPM module and setting the session store value to an instance of this module. However, you might be using a different backend, so your store option could be different. The default for store is express-session is an in-memory storage. That is, it defaults to a new MemoryStore instance. ( MemoryStore is the default memory where express-session stores cookie data ). Note – express-session by default uses a MemoryStore (in-memory key-value store for storing session data) implementation that is only designed for development environments, but cant scale in production, as after few user logins it can no more handle all those session data and will crash wiping out all session data.

Cookie. This determines the behavior of the HTTP cookie that stores the session ID.

resave – Forces the session to be saved back to the session store, even if the session was never modified during the request. Depending on your store this may be necessary, but it can also create race conditions where a client makes two parallel requests to your server and changes made to the session in one request may get overwritten when the other request ends, even if it made no changes (this behavior also depends on what store you’re using). So, resave: false will not resave to the session store unless the session is modified. Modified means adding a property to req.session or changing a variable value.

Typically, you’ll want false.

How do I know if this is necessary for my store? The best way to know is to check with your store if it implements the touch method. If it does, then you can safely set resave: false. If it does not implement the touch method and your store sets an expiration date on stored sessions, then you likely need resave: true.

saveUninitialized Forces a session that is “uninitialized” to be saved to the store. A session is uninitialized when it is new but not modified. Choosing false is useful for implementing login sessions, reducing server storage usage, or complying with laws that require permission before setting a cookie. Choosing false will also help with race conditions where a client makes multiple parallel requests without a session.

So, saveUninitialized: false: An uninitialized session is an unmodified one. When set to false, the session won’t be saved unless we modify it. It also won’t send the id back to the browser.

Good resources

Patient safety assistant

Check your symptom safely

Hi, I am RX Symptom Navigator. I can help you understand what to read next and what warning signs need care.
Warning: Do not use this in emergencies, pregnancy, severe illness, or as a substitute for a doctor. For children or teens, use with a parent/guardian and clinician.
A rural-friendly guide: warning signs, when to see a doctor, related articles, tests to discuss, and OTC safety education.
1 Symptom 2 Severity 3 Safe guidance
First safety question

Is there chest pain, breathing trouble, fainting, confusion, severe bleeding, stroke-like weakness, severe injury, or pregnancy danger sign?

Choose quickly

Browse by body area
Start here: Write or select a symptom. The guide will show warning signs, doctor guidance, diagnostic tests to discuss, OTC safety education, and related RX articles.

Important: This tool is educational only. It cannot diagnose, treat, or replace a doctor. OTC information is not a prescription. In an emergency, contact local emergency services or go to the nearest hospital.

Doctor visit helper

Prepare before seeing a doctor

A simple rural-patient checklist to help you explain symptoms clearly, ask better questions, and avoid unsafe self-treatment.

Safety note: This is not a prescription or diagnosis. For severe symptoms, pregnancy danger signs, children with serious illness, chest pain, breathing difficulty, stroke-like weakness, or major injury, seek urgent care.

Which doctor may help?

Start with a registered doctor or the nearest qualified health center.

What to tell the doctor

  • Write when the problem started and how it changed.
  • Bring old prescriptions, investigation reports, and current medicines.
  • Write allergies, pregnancy status, diabetes, kidney/liver disease, and major past illnesses.
  • Bring one family member if the patient is weak, elderly, confused, or a child.

Questions to ask

  • What is the most likely cause of my symptoms?
  • Which danger signs mean I should go to hospital quickly?
  • Which tests are necessary now, and which can wait?
  • How should I take medicines safely and what side effects should I watch for?
  • When should I come for follow-up?

Tests to discuss

  • Vital signs: temperature, pulse, blood pressure, oxygen saturation
  • Basic physical examination by a clinician
  • CBC, urine test, blood sugar, or imaging only when clinically needed

Avoid these mistakes

  • Do not use antibiotics, steroid tablets/injections, or strong painkillers without proper medical advice.
  • Do not hide pregnancy, kidney disease, ulcer, allergy, or blood thinner use.
  • Do not delay emergency care when danger signs are present.

Medicine safety and first-aid guide

This section is for patient education only. It does not replace a doctor, pharmacist, or emergency care.

Safe first steps

  • Rest, drink safe water, and observe symptoms carefully.
  • Keep a written note of symptoms, duration, temperature, medicines already taken, and allergy history.
  • Seek medical care quickly if symptoms are severe, worsening, or unusual for the patient.

OTC medicine safety

  • For mild pain or fever, ask a registered pharmacist or doctor before using common over-the-counter pain/fever medicines.
  • Do not combine multiple pain medicines without advice, especially if you have kidney disease, liver disease, stomach ulcer, asthma, pregnancy, or take blood thinners.
  • Do not give adult medicines to children unless a qualified clinician advises it.

Avoid these mistakes

  • Do not start antibiotics without a proper medical decision.
  • Do not use steroid tablets or injections casually for quick relief.
  • Do not delay emergency care because of home remedies.

Get urgent help if

  • Severe symptoms, confusion, fainting, breathing difficulty, chest pain, severe dehydration, or sudden weakness need urgent medical care.
Medicine names, dose, and timing must be decided by a qualified clinician or pharmacist after checking age, pregnancy, allergy, other diseases, and current medicines.

For rural patients and family caregivers

Patient health record and symptom diary

Write your symptoms, medicines already taken, test results, and questions before visiting a doctor. This note stays on your device unless you print or copy it.

Doctor to discuss: Doctor / qualified healthcare provider
Tests to discuss with doctor
  • Basic vital signs: temperature, pulse, blood pressure, oxygen level if needed
  • Relevant blood, urine, imaging, or specialist tests only after clinical assessment
Questions to ask
  • What is the most likely cause of my symptoms?
  • Which warning signs mean I should go to emergency care?
  • Which tests are really needed now?
  • Which medicines are safe for my age, pregnancy status, allergy, kidney/liver/stomach condition, and current medicines?

Emergency warning signs such as chest pain, severe breathing difficulty, sudden weakness, confusion, severe dehydration, major injury, or loss of bladder/bowel control need urgent medical care. Do not wait for online information.

Safe pathway to proper treatment

Patient care roadmap

Use this simple roadmap to understand the next safe steps. It is educational and does not replace examination by a doctor.

Go to emergency care if you notice:
  • Severe or rapidly worsening symptoms
  • Breathing difficulty, chest pain, fainting, confusion, severe weakness, major injury, or severe dehydration
Doctor / service to discuss: Qualified healthcare provider; specialist depends on symptoms and examination.
  1. Step 1

    Check danger signs first

    If danger signs are present, seek emergency care and do not wait for online information.

  2. Step 2

    Record the symptom story

    Write when symptoms started, severity, medicines already taken, allergies, pregnancy status, and test results.

  3. Step 3

    Visit a qualified clinician

    A doctor, nurse, or qualified healthcare provider can examine you and decide which tests or treatment are needed.

  4. Step 4

    Do only useful tests

    Do tests after clinical assessment. Avoid unnecessary tests, random antibiotics, or repeated medicines without diagnosis.

  5. Step 5

    Follow up and return early if worse

    If symptoms worsen, new warning signs appear, or treatment is not helping, return for review quickly.

Rural patient practical tips
  • Take a written symptom diary and all previous prescriptions/test reports.
  • Do not hide medicines already taken, even herbal or over-the-counter medicines.
  • Ask which warning signs mean urgent referral to hospital.

This roadmap is for education. A real diagnosis and treatment plan requires history, examination, and clinical judgment.

RX Patient Help

Ask a health question safely

Write your symptom story. A health professional or site editor can review it before any answer is prepared. This box is not for emergency care.

Emergency first: Severe chest pain, breathing trouble, unconsciousness, stroke signs, severe injury, heavy bleeding, or rapidly worsening symptoms need urgent local medical care now.

Frequently Asked Questions

The very basic steps of express-session and cookie-based session management The first time a browser makes a request to our server, express session generates a unique session id 2. saves that session id in a session cookie and passes this back to the browser. creates an empty session object, as req.session. saves the session object to the database.Now if the same browser makes another request, the browser sends that earlier saved cookie that contains our session id, and boom, that’s the caller id. Express session knows that browser has sent requests before. =================================================What is a session?

A session is a place to store data that you want have access to, across the requests between client and server. Each user that visits your website has a unique session. You can use sessions to store and access user data as they browse your application. Sessions are integral to web application development because they allow the application to store state. Based on what action a user took on Page A, we can show a different Page B. Without them,…

References

Add references, clinical guidelines, textbooks, journal articles, or trusted medical sources here. You can edit this area from the RX Article Professional Blocks panel.

More from this topic
  1. How To Speed Up a WordPress (WP) Web Site

    To speed up a WordPress (WP) site, you need a combination of a solid foundation (hosting, theme) and optimization techniques (caching, image compression, code minification). These improvements...

    November 4, 2025 PHP, JS, CSS, Python, and Machine Learning Technology
  2. JavaScript Frameworks and Libraries List

    JavaScript frameworks and libraries are collections of pre-written JavaScript code designed to streamline and enhance web development. While both provide reusable code, their primary distinction lies in...

    October 26, 2025 PHP, JS, CSS, Python, and Machine Learning Technology
  3. Types of Linux

    Linux is most widely used by advanced users who always want to have more control over their system. In this user are allowed to easily install...

    November 7, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  4. User Agents for Web Scraping

    When scraping large amounts of information, the main problem is the risk of blocking and how to avoid it. We have already discussed that you can...

    September 28, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  5. Solid-State Drive (SSD)

    Solid-State Drive (SSD) is a solid-state storage device that uses integrated circuit assemblies to store data persistently, typically using flash memory. SSDs store data in semiconductor cells....

    July 5, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  6. HEADer.php Metadata

    To turn your web pages into graph objects, you need to add basic metadata to your page. We’ve based the initial version of the protocol on RDFa which...

    June 28, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  7. Largest Contentful Paint

    Developers today don’t have a reliable metric that correlates with their user’s visual rendering experience. Existing metrics such as First Paint and First Contentful Paint focus...

    June 11, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  8. Computer Short Code

    বর্তমান দিনে কম্পিউটার ছাড়া আমাদের এক পা এগোনো খুব কঠিন হয়ে উঠেছে।আপনি কয়েক সেকেন্ডের মধ্যে কিভাবে কম্পিউটার শিখতে ও চালাতে পারবেন সেই জন্য এই পোস্ট  Ctrl...

    June 3, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  9. What is Largest Contentful Paint

    Developers today don’t have a reliable metric that correlates with their user’s visual rendering experience. Existing metrics such as First Paint and First Contentful Paint focus...

    June 3, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  10. What is HTML5?

    HTML is the core foundational standard being worked on by the WHATWG community. It is continuously maintained and supersedes HTML4, XHTML1, DOM Level 2 HTML, and all...

    June 3, 2024 PHP, JS, CSS, Python, and Machine Learning Technology