In addition, it's a drop-in replacement in the sense that you can replace the npm package and all existig/active sessions will be transparently upgraded from the original to the new format, without logging users out.
Our implementation uses JWT as session tokens. With JWT you can store data that changes infrequently (wrt the lifetime of a session, e.g., user id, roles) inside the JWT, while you can still maintain the full flexibility of your store (e.g., for counters, flash messages). We expect tokens to be passed as secure, http-only cookies. We use public key cryptography, specifically ES256, so that you can have a single service issuing tokens but multiple services verifying them (with access to the public key only, not the private key).
Note Since version 1.5.0, the cookie-parser middleware no longer needs to be used for this module to work. This module now directly reads and writes cookies on req/res. Using cookie-parser may result in issues if the secret is not the same between this module and cookie-parser.
Warning The default server-side session storage, MemoryStore, is purposely not designed for a production environment. It will leak memory under most conditions, does not scale past a single process, and is meant for debugging and developing.