NestJSframework~10 mins

Session-based authentication in NestJS - Step-by-Step Execution

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Concept Flow - Session-based authentication

User sends login request

↓

Server verifies credentials

Yes↓

Server creates session

↓

Session ID stored in cookie

↓

User sends requests with cookie

↓

Server checks session ID

↓

Server grants access

↓

End

No↓

Server denies access

↓

End

User logs in, server checks credentials, creates a session, stores session ID in cookie, then checks session on each request to allow or deny access.

Execution Sample

NestJS

import { Controller, Post, Req, Res } from '@nestjs/common';
import * as session from 'express-session';

@Controller('auth')
export class AuthController {
  @Post('login')
  login(@Req() req, @Res() res) {
    if (req.body.user === 'admin' && req.body.pass === '123') {
      req.session.user = 'admin';
      res.send('Logged in');
    } else {
      res.status(401).send('Unauthorized');
    }
  }
}

This code checks user credentials, creates a session if valid, and sends a response.

Execution Table

Step	Action	Input	Session State	Response
1	User sends login request	{user:'admin', pass:'123'}	{}	Pending
2	Server checks credentials	user='admin', pass='123'	{}	Pending
3	Credentials valid?	Yes	{}	Pending
4	Create session	Set req.session.user='admin'	{user:'admin'}	Pending
5	Send response	Session created	{user:'admin'}	'Logged in' with Set-Cookie
6	User sends request with cookie	Cookie with session ID	{user:'admin'}	Pending
7	Server checks session ID	Session ID valid	{user:'admin'}	Pending
8	Grant access	Session valid	{user:'admin'}	Access granted
9	User sends request without valid session	No or invalid cookie	{}	Pending
10	Deny access	Session invalid	{}	401 Unauthorized

💡 Execution stops when server grants or denies access based on session validity.

Variable Tracker

Variable	Start	After Step 4	After Step 6	Final
req.session	{}	{user:'admin'}	{user:'admin'}	{} or {user:'admin'} depending on request
Response	None	Pending	Pending	'Logged in' or '401 Unauthorized'

Key Moments - 3 Insights

Why does the server store user info in req.session instead of sending it back directly?

What happens if the user sends a request without the session cookie?

How does the server know which session belongs to which user?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution table, what is the session state after step 4?

A{user:'admin'}

Bnull

C{}

D{user:'guest'}

Concept Snapshot

Session-based authentication in NestJS:
- User sends login with credentials
- Server verifies credentials
- If valid, server creates session and stores user info
- Session ID sent in cookie to client
- Client sends cookie with each request
- Server checks session ID to allow or deny access
- Sessions keep user logged in without resending password

Full Transcript

Session-based authentication in NestJS works by the user sending a login request with credentials. The server checks these credentials. If they are correct, the server creates a session and stores user information in it. The server sends a session ID back to the user in a cookie. For every following request, the user sends this cookie. The server uses the session ID from the cookie to find the session data and verify the user is logged in. If the session is valid, the server grants access. If not, it denies access. This way, the user stays logged in without sending the password every time.