Bird
Raised Fist0
Expressframework~5 mins

Session-based auth with express-session - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of express-session in an Express app?

express-session helps keep track of user data across multiple requests by storing session info on the server. It allows the app to remember who the user is after they log in.

Click to reveal answer
beginner
How does express-session identify a returning user?

It uses a cookie with a session ID stored in the user's browser. When the user sends requests, the cookie is sent back, letting the server find the matching session data.

Click to reveal answer
intermediate
What is the role of the secret option in express-session?

The secret is a string used to sign the session ID cookie. This helps prevent tampering and keeps sessions secure.

Click to reveal answer
intermediate
Why should session data be stored on the server and not in the cookie itself?

Storing session data on the server keeps sensitive info safe. Cookies can be seen or changed by users, so only a session ID is stored in the cookie to link to server data.

Click to reveal answer
beginner
What happens when you call req.session.destroy() in an Express app?

This deletes the user's session data on the server and removes the session cookie, effectively logging the user out.

Click to reveal answer
What does express-session use to track a user's session?
AA cookie storing a session ID
BLocal storage in the browser
CA hidden form field
DURL query parameters
Which option is required when setting up express-session middleware?
Aport number
Bdatabase URL
Csecret
Dview engine
Where is session data stored when using express-session by default?
AIn the user's cookie
BIn a database automatically
CIn the browser's local storage
DIn memory on the server
What does calling req.session.save() do?
ASaves changes to the session data immediately
BDeletes the session
CCreates a new session
DLogs the user out
Why is it important to use HTTPS with sessions?
ATo speed up the server
BTo protect the session cookie from being stolen
CTo allow more users to connect
DTo enable cookies in the browser
Explain how session-based authentication works using express-session in an Express app.
Think about how the server remembers who you are between page visits.
You got /5 concepts.
    Describe the security benefits of using express-session with a secret and HTTPS.
    Consider how to keep user info safe from attackers.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of using express-session in an Express app?
      easy
      A. To store user data on the server and keep users logged in across requests
      B. To encrypt user passwords before saving to the database
      C. To serve static files like images and CSS
      D. To handle HTTP request routing

      Solution

      1. Step 1: Understand session purpose

        Sessions store user info on the server to remember users between requests.

      2. Step 2: Identify express-session role

        The express-session middleware manages these sessions automatically.

      3. Final Answer:

        To store user data on the server and keep users logged in across requests -> Option A

      4. Quick Check:

        Session-based auth = store user data server-side [OK]
      Hint: Sessions keep user info server-side to maintain login [OK]
      Common Mistakes:
      • Confusing sessions with password encryption
      • Thinking sessions serve static files
      • Mixing routing with session management
      2. Which of the following is the correct way to initialize express-session middleware in an Express app?
      easy
      A. app.use(expressSession('keyboard cat'))
      B. app.session({ secret: 'keyboard cat', resave: true })
      C. app.use(session({ secret: 'keyboard cat', resave: false, saveUninitialized: true }))
      D. app.sessionMiddleware({ secret: 'keyboard cat' })

      Solution

      1. Step 1: Recall express-session syntax

        The middleware is added with app.use(session({ options })).

      2. Step 2: Check options correctness

        Options like secret, resave, and saveUninitialized are standard.

      3. Final Answer:

        app.use(session({ secret: 'keyboard cat', resave: false, saveUninitialized: true })) -> Option C

      4. Quick Check:

        Use app.use(session({...})) with options [OK]
      Hint: Use app.use(session({ secret, resave, saveUninitialized })) [OK]
      Common Mistakes:
      • Using app.session instead of app.use
      • Passing secret as a string directly
      • Calling non-existent methods like sessionMiddleware
      3. Given this Express route using express-session: 
      app.get('/dashboard', (req, res) => {
  if (req.session.user) {
    res.send(`Welcome, ${req.session.user}!`);
  } else {
    res.status(401).send('Please log in');
  }
});

// Assume req.session.user = 'Alice'
      What will the server respond when a logged-in user visits /dashboard?
      medium
      A. Welcome, Alice!
      B. Please log in
      C. Error: req.session.user is undefined
      D. Redirect to login page

      Solution

      1. Step 1: Check session user existence

        The code checks if req.session.user exists; here it is 'Alice'.

      2. Step 2: Determine response

        Since user exists, it sends Welcome, Alice! as response.

      3. Final Answer:

        Welcome, Alice! -> Option A

      4. Quick Check:

        Session user present = welcome message [OK]
      Hint: If req.session.user exists, show welcome message [OK]
      Common Mistakes:
      • Assuming undefined session user causes error
      • Expecting redirect without code
      • Confusing status 401 with success message
      4. Consider this code snippet for session setup: 
      const session = require('express-session');
app.use(session({
  secret: 'secret123',
  resave: false
}));
      What is the likely problem with this setup?
      medium
      A. Session middleware must be added after routes
      B. Missing saveUninitialized option may cause sessions not to save properly
      C. resave must be true to save sessions
      D. The secret should be a number, not a string

      Solution

      1. Step 1: Review required session options

        While secret and resave are set, saveUninitialized is missing.

      2. Step 2: Understand saveUninitialized role

        Without saveUninitialized, some sessions may not be saved, causing unexpected behavior.

      3. Final Answer:

        Missing saveUninitialized option may cause sessions not to save properly -> Option B

      4. Quick Check:

        Always set saveUninitialized option [OK]
      Hint: Always include saveUninitialized in session config [OK]
      Common Mistakes:
      • Thinking secret must be a number
      • Believing resave must be true
      • Adding middleware after routes
      5. You want to protect a route so only logged-in users can access it using express-session. Which middleware function correctly checks the session and redirects unauthorized users to /login?
      hard
      A. function auth(req, res, next) { if (req.session.user) res.redirect('/login'); else next(); }
      B. function auth(req, res) { if (!req.session.user) next(); else res.redirect('/login'); }
      C. function auth(req, res, next) { if (req.session.user === undefined) res.send('Access granted'); else next(); }
      D. function auth(req, res, next) { if (req.session.user) next(); else res.redirect('/login'); }

      Solution

      1. Step 1: Understand middleware signature

        Middleware must have (req, res, next) and call next() to continue.

      2. Step 2: Check session user and redirect logic

        If req.session.user exists, call next() to allow access; otherwise redirect to /login.

      3. Final Answer:

        function auth(req, res, next) { if (req.session.user) next(); else res.redirect('/login'); } -> Option D

      4. Quick Check:

        Session user? next() : redirect [OK]
      Hint: Call next() if logged in; else redirect to login [OK]
      Common Mistakes:
      • Missing next() call in middleware
      • Reversing condition logic
      • Sending response instead of redirecting