express session key property
express.session
uses connect.session
underneath; if you look at its documentation, it will use connect.sid
as a default key in case you don't provide one yourself:
Options:
key
cookie name defaulting toconnect.sid
- ...
@robertklep's answer is out of date:
A session key is now mandatory. You must provided it and the defense of the secrets contained within are dependent on selecting a good key. My recommendation is selecting a key with sufficient entropy (128 bits) and periodically changing it.
see: https://github.com/expressjs/session/blob/master/test/session.js#L38