Use client-sessions to securely store session data in cookies.

It seems client-sessions wants the cookie name to be the same as the name
of the property attached to `request` which contains the session data, so
I had to change the cookie name from `csol_state` to `session`. Hopefully
this isn't a big deal.

app.js

@@ -27,7 +27,6 @@ const healthChecker = healthCheck({
   }
 });
 
-app.use(express.cookieParser());
 app.use(middleware.session());
 app.use(middleware.csrf({
   whitelist: [

middleware.js

@@ -1,9 +1,10 @@
 var errors = require('./lib/errors');
 var express = require('express');
 var _ = require('underscore');
+var clientSessions = require('client-sessions');
 
 
-var COOKIE_KEY = 'csol_state';
+var COOKIE_KEY = 'session';
 
 if ('COOKIE_SECRET' in process.env) {
   var COOKIE_SECRET = process.env.COOKIE_SECRET;
@@ -15,15 +16,14 @@ if ('COOKIE_SECRET' in process.env) {
 }
 
 
-exports.session = function session (config) {
-  return express.session({
+exports.session = function session () {
+  return clientSessions({
+    cookieName: COOKIE_KEY,
     secret: COOKIE_SECRET,
-    key: COOKIE_KEY,
-    cookie: _.defaults(config || {}, {
-      httpOnly: true,
-      maxAge: (7 * 24 * 60 * 60 * 1000), //one week
-      secure: false
-    })
+    maxAge: (7 * 24 * 60 * 60 * 1000), //one week
+    cookie: {
+      httpOnly: true
+    }
   });
 };
 

package.json

@@ -8,6 +8,7 @@
     "bcrypt": "~0.7.5",
     "connect-flash": "~0.1.1",
     "express": "~3.1.0",
+    "client-sessions": "0.3.1",
     "imagemagick": "~0.1.3",
     "knox": "~0.8.2",
     "mime": "~1.2.9",