There is an example. If it's a first time request with saveUninitialized: false it will not create a session until the user is logged in or somehow been authorized. That is great for apps that have a lot of not logged in users browsing their pages or bots roaming around and they don't want those users to be using sessions. That also is especially good to comply with EU cookie privacy laws. The cookie has it's own settings cookie-options so you can decide how long it stays, cookiemaxage. The session can have a TTL (time to live) depending on the store (db-connection-library). For example, redis has TTL as a build in function so the session can have a TTL. Otherwise the session will live as long as your database is not changed.

can you also shed some light on httpOnly param please? For example, what are the pros and cons of setting it to false.
I need it set to false so I could read cookies from another window (iframe etc)

can you also shed some light on httpOnly param please?

the httpOnly param is an http protocol function not ours see here for some info. But I can shed some light on it. So in essence it only will send the cookie over http(s) requests. By default (without httpOnly) the browser can and will share the cookies with javascript that is run on your website. This may or may not be ideal. It completely depends on your application. For most secure practice you want httpOnly set as you don't want anyone to be able to copy your cookies to someone else's browser or sent/saved to a different server.

Should this be closed or is there something being requested?

I want to set a session at server side sessionStorage.setItem("mySession","This is mySession") and use to get over client side(angular 2) as sessionStorage.getItem("mySession") Is it possible by using this express-session ? if so, how could I achieve it? @gabeio @dougwilson

req.session.mySession = req.body.mySession
What it really does ? did it store as sessionStorage.setItem("mySession","This is mySession") if so, how can i retrieve it with out knowing where it is stored. ? some one help me ! new to this phase.

@AlwaysAbhl001 sessions are data which are connected to the client's browser in a way that prevents them from being able to tamper with the variables as they are not ever passed to the user.

If you wish for them to be able to grab certain variables from the server I might advise you look into normal signed cookies (depending on what the values are) but keep the master copy of that variable in the session data (basically do not ever read from the cookie on the server side).

The other option would be to have an API which allows certain predefined variables in their session to be accessed by angular (best option is read only if any) e.g.: /api/session/mySession would return just the variable's value.

Side-notes: It would be very bad to return the entire session object ever or allow the user to be able to plug any variable into the /api/session/ and get the whole variable by brute force.

@gabeio

The other option would be to have an API which allows certain predefined variables in their session to be accessed by angular (best option is read only if any) e.g.: /api/session/mySession would return just the variable's value.

No Man, it a token I can't serve it on API. As mentioned here link, I did by using cookie but storing token at cookie is a bad practice so, searching for effective process.

@AlwaysAbhl001 This is an issue asking for an intro for beginners. Do you want to know best practices for sharing a token between the client and server? Have you looked at the csurf module?
Regardless, it seems like your questions are off topic for this issue