I find cookies, sessions, encryption, OpenID and OIDC all very confusing. I use
the express-openid-connect library to handle our Auth0 integration and for the
most part it takes care of all the difficult parts of OAuth, tokens, etc.
Eventually you need to peel back the curtain and adjust things.
tl;