Why use cookie-session in addition to passport.js?

Question

My understanding of passport.js so far is that passport.js serializes the user object and sends an ID every time to the client. I am just starting with it so sorry if it's a silly question:

Instead of express-session, I am using cookie-session as I am a beginner. My understanding of cookie-session is that it sends a session ID every time, and this ID can be used to look up the database when needed.

Now, I don't understand why we can't just use the passport.js ID? Why do we need to use cookie-session in addition? Also, (this may be a little unrelated, but) is the difference between session-based authentication and token-based authentication that this ID that's shared is dynamic, or changing every time? Is this still the standard and modern way of doing it in 2020?

Answer 1

You don't need to use session. It is totally upto you. Just put {session: false} in route. You don't need to write passport.serializeUser and passport.deserializeUser. cookie-session puts cookie on client system, and it is sent each time with request. passportjs search that cookie and run deserializeUser to convert it into object and attach it with request object.

express-session stores session data on the server; it only saves the session identifier in the cookie, not session data. where as cookie-session is basically used for lightweight session applications. it allows you to store the session data in a cookie but within the client [browser]. Only use it when session data is relatively small and easily encoded as primitive values See this question for more understanding

const express = require('express');
const { Router } = express;
const router = new Router();
router
  .get('/', passport.authenticate('google', { session: false }))

Answer 2

"Instead of express-session, I am using cookie-session as I am a beginner."

using cookie session does not make anyone beginner. If you are going to store large data, use express-session, cause it stores the data in the database or redis, keeps the database id of that data, so when it gets a request, fetch the database with that id and compare the request credentials. On the other hand, cookie-session stores the data upto 4kb in the cookie on the user browser and since only user-id is stored in the cookie with passport.js, generally cookie session is used.

passport.serializeUser(
  (user, done ) => {
    done(null, user.id); // stores the id<4kb
  }
);

When client authorizes your app, google send the responds to your callback url.

app.get("/auth/google/callback", passport.authenticate("google"))

passport.authenticate() will call req.login() this is where passport.user gets generated. req.login() will initiate the serializeUser() which determines which data of the user should be stored in the session.

 passport:{user:userId}

Now this object will be assigned to req.session. so we will have req.session.passport.user

Everytime when you make a request to a server, browser automatically checks if there is cookie set related to that server and if there is it automatically attaches the cookie to the request. If you were using token based authentication, you had to manually attach the cookie to request everytime you make a request. Cookie is just transportation medium, you store data and move the data, you can even store the token in cookie. Cookie is not just related to authentication. If you have server-side project, you have to set cookie.(this is just a side node).

"My understanding of cookie-session is that it sends a session ID every time, and this ID can be used to look up the database when needed."

so far I explained how session is created. Now what happens when user makes a request?. In app.js file you should have two middleares.

app.use(passport.initialize());
app.use(passport.session());

app.use(passport.initialize()) this function checks if req.session.passport.user exists, if it does it will call passport.session(). if it finds a serialized user object in the session, it will consider this req is authenticated. And then deserializeUser() will be invoked. it will retrieve the user and attach it to req.user