secure-express-setup/lib/sessionSecurity.js

Military-grade one-command security setup for Express.js applications

const session = require('express-session');
const RedisStore = require('connect-redis').default;
const Redis = require('redis');

function setupSessionSecurity(app, secret, redisUrl) {
  const sessionConfig = {
    secret: secret,
    resave: false,
    saveUninitialized: false,
    name: 'sessionId',
    cookie: {
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',
      sameSite: 'strict',
      maxAge: 24 * 60 * 60 * 1000 // 24 hours
    }
  };

  if (redisUrl) {
    const redisClient = Redis.createClient({ url: redisUrl });
    redisClient.connect().catch(console.error);
    
    sessionConfig.store = new RedisStore({ 
      client: redisClient,
      prefix: 'sess:'
    });
  }

  app.use(session(sessionConfig));

  // Session regeneration on login
  app.locals.regenerateSession = (req) => {
    return new Promise((resolve, reject) => {
      req.session.regenerate((err) => {
        if (err) reject(err);
        else resolve();
      });
    });
  };
}

module.exports = setupSessionSecurity;