Is the session options still applicable in basic auth strategy as I can't see anything in the code that uses this option setting. If not then the documentation is out of date. Thanks.

Setting the session option to false instructs passport not to serialize the user into the session. The relevant line of code is: https://github.com/jaredhanson/passport/blob/master/lib/passport/http/request.js#L41