2009-GHP-RM-WEB-FT Cookie Jar: :cookie: Cookies, :cookie: Sessions, Login, OAuth

# 2009-GHP-RM-WEB-FT Cookie Jar: :cookie: Cookies, :cookie: Sessions, Login, OAuth How exactly does a session secret work to keep the session ids not predictable? It seems like a random sting file. "Nothing we add to req.session is ever sent back to the client" => where does this stay? In the database? In the http header? ## Answer To the first question: It takes the string we put into in the secret and uses that in its encryption scheme. So basically, it takes what we pass in as a secret and uses it to "scramble" the identity. And the only way to unscramble it is using the secret. - [Express Session Secret Docs](https://www.npmjs.com/package/express-session#secret) - [Martin Fowler Blog: Session Secrets](https://martinfowler.com/articles/session-secret.html) - [Secret Key Cryptography](https://libsodium.gitbook.io/doc/secret-key_cryptography#:~:text=Secret%2Dkey%20cryptography%20refers%20to,messages%20they%20want%20to%20send.) To second question: Well, in the demo, I sent back the `req.session` to the client manually :smile_cat: Whatever is in the `req.session` is not automatically sent to the client. It uses the cookie for that. Sessions are saved in the Session store which is on our server. It may get info that we want to save to be able to be sent back and forth from the database but the Session store is stored in RAM in our server. Question: This may be a silly question, our redux store has nothing to do with eveyrhting we learned today and will learn in the afternoon??? ## Answer Not a silly question! It has nothing to do Redux. We are strictly in our server, specifically Express and using middleware. We may used Redux state in the front end to store some data that we get from the backend but anything Passport and Session related is strictly Express