When to use saveUninitialized and resave in express-session
One thing to note is that if you set saveUninitialized to false, the session cookie will not be set on the browser unless the session is modified. That behavior may be implied but it was not clear to me when I was first reading through the documentation.
resave: It basically means that for every request to the server, it reset the session cookie. Even if the request was from the same user or browser and the session was never modified during the request.
saveUninitialized: When an empty session object is created and no properties are set, it is the uninitialized state. So, setting saveUninitialized to false will not save the session if it is not modified.
The default value of both resave and saveUninitialized is true, but using the default is deprecated. So, set the appropriate value according to the use case.
- Uninitialised = false
It means that Your session is only Stored into your storage, when any of the Property is modified in req.session - Uninitialised = true
It means that Your session will be stored into your storage Everytime for request. It will not depend on the modification of req.session. - resave = true
It means when the modification is performed on the session it will re write the req.session.cookie object. - resave = false
It will not rewrite the req.session.cookie object. the initial req.session.cookie remains as it is.
Let's assume that sessions are enabled globally (for all requests).
When a client makes an HTTP request, and that request doesn't contain a session cookie, a new session will be created by express-session. Creating a new session does a few things:
- generate a unique session id
- store that session id in a session cookie (so subsequent requests made by the client can be identified)
- create an empty session object, as
req.session - depending on the value of
saveUninitialized, at the end of the request, the session object will be stored in the session store (which is generally some sort of database)
If during the lifetime of the request the session object isn't modified then, at the end of the request and when saveUninitialized is false, the (still empty, because unmodified) session object will not be stored in the session store.
The reasoning behind this is that this will prevent a lot of empty session objects being stored in the session store. Since there's nothing useful to store, the session is "forgotten" at the end of the request.
When do you want to enable this? When you want to be able to identify recurring visitors, for example. You'd be able to recognize such a visitor because they send the session cookie containing the unique id.
About resave: this may have to be enabled for session stores that don't support the "touch" command. What this does is tell the session store that a particular session is still active, which is necessary because some stores will delete idle (unused) sessions after some time.
If a session store driver doesn't implement the touch command, then you should enable resave so that even when a session wasn't changed during a request, it is still updated in the store (thereby marking it active).
So it entirely depends on the session store that you're using if you need to enable this option or not.