Too Long; Didn't Read
This article focuses on sessions and how we forked express-session to make it more secure. Instead of building an independent session system, we decided to make a drop-in replacement for Express. We use public-key cryptography (ES256) so that you can architect your system with a single "session manager" service that issues tokens and accesses the private key, while you can have as many verifiers as you need with no access to secrets. Our solution uses JWT as session tokens, instead of the hash value of the token in the data store.