DEV Community

Nivethan
Nivethan

Posted on • Originally published at nivethan.dev

Express Sessions

This is my notes for the express-sessions library. This is middleware for express that adds support for sessions. The default uses an in memory store that leaks memory. However it is quite easy to set up a different backend.

The first step:

npm install express-sessions
Enter fullscreen mode Exit fullscreen mode

The second step as always, is to update app.js:

var session = require('express-session')

var app = express();

app.use(session({
    proxy: process.env.ENV === 'production',
    secret: process.env.SECRET,
    resave: true,
    saveUninitialized: false,
    cookie: {},
}));
Enter fullscreen mode Exit fullscreen mode

The proxy flag sets it so express trusts cookies sent to it by a reverse proxy like nginx. This is needed when the cookie is in secure mode which it should be in production. This would require https but if you use a reverse proxy, this https is already handled at that level and the request is simply passed to node.

Now we are ready to use sessions!

This is what a very bad user login system would look like.

var express = require('express');
var router = express.Router();

router.get('/login', function(req, res, next) {
    res.render("login", {});
});

router.post('/login', function(req, res, next) {
    if (req.body.username !== "nivethan") {
        return res.send("Invalid username.");
    }
    if (req.body.password !== "123") {
        return res.send("Invalid password.");
    }

    req.session.loggedIn = true;

    res.redirect("/");
});

router.get('/logout', function(req, res, next) {
    req.session.destroy();
    return res.redirect("/");
});

module.exports = router;
Enter fullscreen mode Exit fullscreen mode

When a user logs in we set the loggedIn flag on the session.

We can then use add our own session middleware to check for a valid session.

This would be routes/validateAdmin.js:

module.exports = (req, res, next) => req.session && req.session.loggedIn
    ? next()
    : res.redirect("/login");
Enter fullscreen mode Exit fullscreen mode

This will check for a session before handling the request. If the session doesn't exist it will redirect back to the login page.

Now we can do the following:

var express = require('express');
var router = express.Router();

var validateAccess = require("./validateAccess");

router.get('/admin/', validateAdmin, async function(req, res, next) {
    res.render("admin", {});
});
Enter fullscreen mode Exit fullscreen mode

Voila! We have used sessions to enable logging in.

Top comments (0)