Node.jsframework~30 mins

Session-based vs token-based auth in Node.js - Hands-On Comparison

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Session-based vs Token-based Authentication in Node.js

📖 Scenario: You are building a simple Node.js server that handles user login. You want to understand how session-based and token-based authentication work by creating basic examples of each.

🎯 Goal: Build two simple authentication setups in Node.js: one using session-based authentication with express-session, and one using token-based authentication with JSON Web Tokens (jsonwebtoken).

📋 What You'll Learn

Create a user object with fixed username and password

Set up session configuration using express-session

Implement login route that creates a session on success

Set up token secret variable for JWT

Implement login route that returns a JWT token on success

Add middleware to protect a route using session or token

💡 Why This Matters

🌍 Real World

Web applications often need to authenticate users securely. Session-based auth stores login info on the server, while token-based auth uses tokens that clients keep. Understanding both helps build secure apps.

💼 Career

Many backend developer roles require knowledge of authentication methods. Knowing how to implement and protect routes with sessions and tokens is essential for building secure APIs and web apps.

Progress0 / 4 steps

Create a user object with fixed credentials

Create a constant called user with an object containing username set to 'user1' and password set to 'pass123'.

Node.js

# Your code here

Need a hint?

Use const user = { username: 'user1', password: 'pass123' }; to create the user object.

Set up session configuration with express-session

Add these lines: import express and express-session, create an app using express(), and configure app to use express-session with a secret 'mysecret', resave set to false, and saveUninitialized set to true.

Node.js

const user = { username: 'user1', password: 'pass123' };
// Your code here

Need a hint?

Use require to import modules and app.use(session({...})) to configure sessions.

Implement login route that creates a session on success

Add a POST route /login that reads username and password from req.body. If they match the user object, set req.session.user to user.username and send 'Logged in'. Otherwise, send 'Invalid credentials'. Use express.json() middleware.

Node.js

const user = { username: 'user1', password: 'pass123' };

const express = require('express');
const session = require('express-session');

const app = express();

app.use(session({
  secret: 'mysecret',
  resave: false,
  saveUninitialized: true
}));

// Your code here

Need a hint?

Use app.post with express.json() to read JSON body and set session on success.

Set up token secret and implement token-based login route

Add jsonwebtoken import, create a constant tokenSecret with value 'tokensecret'. Add a POST route /token-login that reads username and password from req.body. If they match user, create a JWT token signed with tokenSecret containing { username } and send it as JSON { token }. Otherwise, send { error: 'Invalid credentials' }. Also add middleware authenticateToken that checks the token from Authorization header and calls next() if valid, else sends 401. Add a protected GET route /protected that uses authenticateToken and sends 'Protected content'.

Node.js

const user = { username: 'user1', password: 'pass123' };

const express = require('express');
const session = require('express-session');

const app = express();

app.use(express.json());
app.use(session({
  secret: 'mysecret',
  resave: false,
  saveUninitialized: true
}));

app.post('/login', (req, res) => {
  const { username, password } = req.body;
  if (username === user.username && password === user.password) {
    req.session.user = user.username;
    res.send('Logged in');
  } else {
    res.send('Invalid credentials');
  }
});

// Your code here

Need a hint?

Use jsonwebtoken to create and verify tokens. Extract token from Authorization header. Protect routes with middleware.