DEV Community

Nivethan
Nivethan

Posted on • Originally published at nivethan.dev

Express Sessions

#express #javascript #node #beginners

This is my notes for the express-sessions library. This is middleware for express that adds support for sessions. The default uses an in memory store that leaks memory. However it is quite easy to set up a different backend.

The first step:

npm install express-sessions
Enter fullscreen mode Exit fullscreen mode

The second step as always, is to update app.js:

var session = require('express-session')

var app = express();

app.use(session({
    proxy: process.env.ENV === 'production',
    secret: process.env.SECRET,
    resave: true,
    saveUninitialized: false,
    cookie: {},
}));
Enter fullscreen mode Exit fullscreen mode

The proxy flag sets it so express trusts cookies sent to it by a reverse proxy like nginx. This is needed when the cookie is in secure mode which it should be in production. This would require https but if you use a reverse proxy, this https is already handled at that level and the request is simply passed to node.

Now we are ready to use sessions!

This is what a very bad user login system would look like.

var express = require('express');
var router = express.Router();

router.get('/login', function(req, res, next) {
    res.render("login", {});
});

router.post('/login', function(req, res, next) {
    if (req.body.username !== "nivethan") {
        return res.send("Invalid username.");
    }
    if (req.body.password !== "123") {
        return res.send("Invalid password.");
    }

    req.session.loggedIn = true;

    res.redirect("/");
});

router.get('/logout', function(req, res, next) {
    req.session.destroy();
    return res.redirect("/");
});

module.exports = router;
Enter fullscreen mode Exit fullscreen mode

When a user logs in we set the loggedIn flag on the session.

We can then use add our own session middleware to check for a valid session.

This would be routes/validateAdmin.js:

module.exports = (req, res, next) => req.session && req.session.loggedIn
    ? next()
    : res.redirect("/login");
Enter fullscreen mode Exit fullscreen mode

This will check for a session before handling the request. If the session doesn't exist it will redirect back to the login page.

Now we can do the following:

var express = require('express');
var router = express.Router();

var validateAccess = require("./validateAccess");

router.get('/admin/', validateAdmin, async function(req, res, next) {
    res.render("admin", {});
});
Enter fullscreen mode Exit fullscreen mode

Voila! We have used sessions to enable logging in.

Top comments (0)

Read next

karaniph profile image

Top 11 Web Hosting Powerhouses for 2025: Affordable, Lightning-Fast, and Ready to Perform!

Phaustin Karani -

probir-sarkar profile image

Next.js Interview Mastery: Essential Questions 61-70 (Part 7)

Probir Sarkar -

rowsanali profile image

A 50+ pages reactjs PDF cheat sheet with code examples of 30+ topics

Rowsan Ali -

mshsayket profile image

Laravel 11 Livewire Wizard Multi Step Form Tutorial

Saddam Hossain -