Description
There is a very good explanation for this here
Avoid Sessions for Static Resources
I learned that if you add the session middleware before your static directory, Express will generate sessions for requests on static files like stylesheets, images, and JavaScript.
If a new visitor without a session loads a page with 10 static files, the client's browser will not yet have a cookie and will send 10 cookieless requests all triggering Express to create sessions. Ouch! So that's what was happening... If you haven't done something smart to detect bots and scrapers, things can blow out pretty quickly!
Simply put your static files first, or better yet on a CDN that has nothing to do with your Node.js app and your session collection should stay much healthier