is a private key and the session ID is being encrypted?
As I understand it, if an attacker can attain this cookie, maybe via XSS or social engineering, the attacker can still hijack the session.
You can't just sprinkle magik crypto faerie dust and expect to get more security, like chocolate chips.
What the author is missing is that once you sign the session id, and put that in the cookie - the signed session id IS the session id.
That is the identifier with which end users will tell the server which session is theirs.
It doesn't matter that the server will like to do some internal processing for associating the actual session identifier with the internal representation of the session's memory.
To be clear, if the signed session id is stolen - in any way, whether via XSS, social engineering, or anything else - then the attacker will be able to simply use that signed session id to hijack the user's session, internal representation notwithstanding.
That said, there is one nominal benefit in signing the cookie value before sending it to the browser: tamper detection.
That is, upon receiving the user's cookie, the web application can verify that the cookie was not tampered with using it to look up the session memory, namely by validating the signature.
From what I can tell, you found that some random js library does something unintuitive.
That doesn't mean it is insecure, or that that is the reason for it.
You shouldn't be surprised if this is a halfbaked idea..."It looks like the secret is a private key and the session ID is being encrypted?
" - probably not, considering that what you describe as the "actual session ID" appears verbatim in the cookie. The author of that JS library seems to have made a common, yet mistaken, assumption, though based on just enough knowledge to get things wrong.