- Set you session cookie options to be httpOnly and pass long enough string to secret.
- Your req object has not only sessionID property but also session object. This object is stored in Mongo (or whatever session storage you pass to express) and it's contents is not available for your clients. So you can securely store whatever info you want here.
Behind the scenes Express checks that session key (the only part of the session available to the client, you can prove this checking resources tab of Chrome devtools) matches current session. If someone tries to forge session key Express will notice this. Actually, Express uses Connect middleware, so you may want to skim this for more details http://www.senchalabs.org/connect/session.html