Authentication with sessions and cookies in an Express application

An introduction to a typical authentication workflow in a web API

In this article we'll go over an important aspect of a web API: authentication with sessions and cookies. We'll talk about what sessions are and what relationship they have to cookies.

We'll show what a typical workflow for implementing sessions and cookies in our web application developed with Express looks like.

Finally, we'll talk about some Node.js modules and libraries that can help in handling sessions.

What’s a session?

We can define a session as a period of time during which the server considers a client authenticated without having to re-authenticate.
Sessions are simply pieces of information saved in the backend in some sort of data store.

They are typically saved for a relatively short period of time, but they can also be persisted to a database for long time storage, keeping the session information available to the client for many days or months.

The basic idea behind sessions is that when you authenticate with username and password, a piece of data is saved on the server that verifies that you have indeed authenticated.

Since the session is in a data store, various information on the user state can also be saved along with the session.

What do cookies have to do with sessions?

When a session is created on the backend, a session id is given back to the browser and the browser stores that session id as a cookie.

The next time you visit that particular domain, all the cookies that belong to that domain are sent back to the server.

When the server receives the cookie, it's able to pull up information about the session the cookie is referring to.
It's a way for the server to keep track of who you are, what you were doing last time you visited, and other information about you.

So, to reiterate, cookies are pieces of information stored on the browser and are used by the server to access information stored in the session, which is saved somewhere in the backend.

It's important to note that cookies should not store sensitive information. All the cookie should have is an id that points to the session. The sensitive information is saved securely in the session.

Authentication workflow

Let's see what a typical authentication workflow using sessions and cookies looks like:

  1. The client sends authentication credentials, either in the body of the request or in the headers

  2. The backend application verifies the credentials

  3. The backend creates a session for this particular client

  4. The backend creates and sends back a cookie with the session id

  5. The client stores the cookie in the browser

  6. On every request to this same domain, the client sends the cookie back in the request header

  7. The backend verifies the cookie

  8. The backend provides or denies access to the client depending on the cookie being still valid or not

Node libraries

There are several Node.js libraries that can help us set up and manage sessions in an Express application. A couple of them are client-sessions and express-session.

Some application keep session data in the server memory. The drawback of this is that sessions are wiped out when the server shuts down or restarts.

Other applications save session data more persistently in the database or in data stores like Redis and Memcached. Data stores are similar to databases, but keep all the data in memory, so they are typically faster than a database.

In future articles, we'll show how to set up a system that uses sessions for authentication and authorization using the express-session library.

Did you like this article? Share it with your friends.
I write daily about front-end and back-end web technologies.
You can receive all my articles in your inbox by subscribing to my newsletter. Just click the button below. No spam, just good, useful content. Guaranteed!

Follow me on Twitter