What's difference with express-session and cookie-session?

Basically, express-session is more abstract, it supports different session stores (like files, DB, cache and whatnot).

And cookie-session is a simple / lightweight cookie-based (cookie is the only storage engine supported: all the session info is stored on the client, in a cookie) session implementation. This kind of sessions is probably most famous for its Rails implementation.

The basic difference between both these relates to how and where is the session data being stored. Cookie session is basically used for lightweight session applications where the session data is stored in a cookie but within the client [browser], whereas, Express Session stores just a mere session identifier within a cookie in the client end, whilst storing the session data entirely on the server. Cookie Session is helpful in applications where no database is used in the back-end. However, the session data cannot exceed the cookie size. On conditions where a database is used, it acts like a cache to stop frequent database lookups which is expensive.

express-session stores the session identifier in the cookie while the actual session data resides in backend session store like connect-redis, where as cookie-session allows you to store the session data in a cookie (client-side).

From the documentation of cookie-session:

A user session can be stored in two main ways with cookies: on the server or on the client. This module stores the session data on the client within a cookie, while a module like express-session stores only a session identifier on the client within a cookie and stores the session data on the server, typically in a database.

The main advantage of using cookie-session is when you have a clustered node.js app, then you don't have to rely on sharing session data between forked processes.