If you are starting out a new webapp using Express on Node.js, do not use express-session unless you really know what you are doing. Like: really know what you are doing and why. In any other case, use cookie-session.

The paragraph above may sound disparaging, but that's not where I'm going here. There are perfectly good use cases for express-session. However it requires more setting up than it may appear at first: you will have to integrate it with a database or similar. It may appear to work as a drop-in at first, but this is only because it defaults to using a memory store that won't work on production.

I bring this up because, recently, I was helping out a person who was learning the ropes of web development and was using Express. Sessions were not working correctly, expiring at random. Eventually I realised that they were using express-session, thinking that it would just work after adding the package. Dropping it in favour of cookie-session solved the issue.

Keep it simple. If you are just going through the first few iterations of your new project, working towards an MVP, there's a lot of stuff you do not need. It is tempting to see packages such as express-session, which are very popular on Github and are very flexible, and you may think that your project should use just that. However you should be wary of adding anything that has more options than you need, and could add complexity that will slow you down in the end.