Configure cookie-based server-side sessions.
createConfig({
session: {
cookieName: 'sid',
secret: '', // Set via SESSION_SECRET env var
maxAge: 604800000, // 7 days (ms)
idleTimeout: 1800000, // 30 minutes (ms)
rotateOnLogin: true,
secure: true,
sameSite: 'lax',
},
});| Option | Type | Default | Description |
|---|---|---|---|
cookieName |
string | 'sid' |
Session cookie name |
secret |
string | '' |
Cookie signing secret (use env var) |
maxAge |
number | 604800000 |
Absolute session lifetime (7 days) |
idleTimeout |
number | 1800000 |
Inactivity timeout (30 minutes) |
rotateOnLogin |
boolean | true |
Rotate session ID on login (OWASP) |
secure |
boolean | true |
Set Secure flag (HTTPS only) |
sameSite |
string | 'lax' |
SameSite cookie attribute |
Set secure: false for HTTP development:
createConfig({
session: { secure: false },
});- Created on register/login — stored in MongoDB, ID sent as httpOnly cookie
- Validated on each request — checks expiry and idle timeout
- Touched on each request — resets idle timeout
- Rotated on login — prevents session fixation
- Revoked on logout — deleted from database