When using the session
middleware (https://github.com/expressjs/session) in Express, we have to pay attention to the parameters we pass when initializing the middleware, which are as follows:
The httpOnly property on the cookie property: This defaults to true and should really stay that way, meaning the cookie cannot be read by frontend JavaScript code
The secure property on the cookie property: When using HTTPS, we should enable this option, which will prevent the browser from transmitting the cookies over an unencrypted connection
The maxAge property on the cookie property: If this property is unset, then it means that the cookie will become a browser-session cookie and will be removed once the user closes the browser; perhaps this should be set to something like 30 minutes (30 * 60 * 1000 in milliseconds) to avoid prolonged idle sessions
The secret property: This is used to sign the session cookie to prevent tampering; this should not be copied from the module...