Expressframework~10 mins

Session-based auth with express-session - Step-by-Step Execution

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Concept Flow - Session-based auth with express-session

Client sends login request

↓

Server checks credentials

↓

Create session and store user info

↓

Send session cookie to client

↓

Client sends requests with cookie

↓

Server reads session from cookie

↓

Allow access

This flow shows how a client logs in, the server creates a session, sends a cookie, and then uses that cookie to authenticate future requests.

Execution Sample

Express

const session = require('express-session');
app.use(session({ secret: 'key', resave: false, saveUninitialized: false }));

app.post('/login', (req, res) => {
  if (req.body.user === 'admin' && req.body.pass === '123') {
    req.session.user = 'admin'; res.send('Logged in');
  } else res.status(401).send('Fail');
});

This code sets up session middleware and a login route that saves user info in the session on success.

Execution Table

Step	Action	Input	Session State	Response to Client
1	Client sends POST /login with user=admin, pass=123	{user:'admin', pass:'123'}	{}	Waiting
2	Server checks credentials	user=admin, pass=123	{}	Waiting
3	Credentials valid, create session	N/A	{user:'admin'}	Set-Cookie header sent
4	Send response 'Logged in'	N/A	{user:'admin'}	'Logged in' text
5	Client sends GET /dashboard with cookie	Cookie with session ID	{user:'admin'}	Waiting
6	Server reads session from cookie	Session ID	{user:'admin'}	Waiting
7	Session valid, allow access	N/A	{user:'admin'}	Dashboard content
8	Client sends GET /dashboard without cookie	No cookie	{}	Waiting
9	Server finds no session	N/A	{}	Redirect to /login
10	Execution ends	N/A	N/A	No session, access denied

💡 Execution stops when client has no valid session cookie or after response sent.

Variable Tracker

Variable	Start	After Step 3	After Step 6	Final
req.session	undefined	{user:'admin'}	{user:'admin'}	Depends on request
res.headers['Set-Cookie']	undefined	Session cookie set	Session cookie sent	Session cookie present or absent
client.cookie	undefined	Cookie with session ID	Cookie with session ID	Cookie present or absent

Key Moments - 3 Insights

Why does the server send a cookie after login?

What happens if the client sends a request without the session cookie?

Is the user info stored on the client or server?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution_table, what is the session state after step 3?

Aundefined

B{}

C{user:'admin'}

D{user:'guest'}

Concept Snapshot

Use express-session middleware to create sessions.
On login, save user info in req.session.
Server sends a cookie with session ID to client.
Client sends cookie on future requests.
Server reads session from cookie to authenticate.
No cookie means no session, access denied.

Full Transcript

This visual execution shows how session-based authentication works with express-session. When a client logs in with correct credentials, the server creates a session object storing user info and sends a cookie with a session ID back to the client. The client includes this cookie in future requests. The server reads the cookie, finds the session, and allows access. If the client sends no cookie or an invalid one, the server denies access and redirects to login. Variables like req.session and response headers change during these steps, showing how state is maintained securely on the server while the client holds only a session ID cookie.