I've been trying to implement authentication and session management in a node.js application using socket.io.

And from almost all the resources I found, I came across the term "session store".

There are open source tools that handles sessions for us, but we have to provide them with a session store.

Some tools has built in storage for sessions in memory, for example the module express-session comes with a default in memory session store, but also this warning:

Warning The default server-side session storage, MemoryStore, is purposely not designed for a production environment. It will leak memory under most conditions, does not scale past a single process, and is meant for debugging and developing.

So I searched for the available stable session stores and it turns out that most of the names are databases that I've heard of.

For example, here's a list of session stores and another one at GitHub that I've came across.

The names include MongoDB, MySQL, SQLite, cassandra, firebase etc, hence the confusion.

So the question is, are session stores and database the same..? (I can think of it like - when we're using the database for storing session details we call it session store but it's in fact a database)

If not, how do they differ..?

Session store is a place where session data is being stored on server. On web its usually being identified by a cookie stored in clients browser. So it allows your app to identify user and keep him logged in for example.

Session can either be memory, some database, simple files, or any other place you can come up with to store session data.

If you project uses some database, you can configure your session store to use the same database, to avoid having another database on server just for the purpose of session store.

Differences between different session stores:

• Memory session store is going to be reset on every app re-lauch. Also its fastest.
• Database session store, is going to be safe with app re-lauch. And at some point you will have alot of session objects which you might want to clean up. And same session stored in database can be even accessed from different apps.

Session store is a method of storing information about user as a session with unique identifier. It could be stored in memory or in database. Socket.io can utilize the same session (id) being used in express app by socket-express-session package, if I am not mistaken.

You can then use session information to grant/restrict access, for example.