Install express-session and connect it as middleware in main.ts before initializing Passport. Configure passport.session() to enable session serialization. Implement serializeUser and deserializeUser to store and load the user from the session. Use a Redis store for distributed deployments.
Order matters: session() middleware must run before passport.initialize() and passport.session().
resave: false — do not save the session if it was not modified; prevents unnecessary writes.
saveUninitialized: false — do not save empty sessions; required for GDPR compliance.
Use Redis store in production — in-memory store is not shared across multiple instances.
serializeUser stores the minimum identifier (user ID); deserializeUser loads the full user on each request.