Hey guys, it's Alex again. I know the config for express-session can feel a bit daunting at first (I had to read through very carefully myself), so I created a reference guide that explains each option in detail. You can find it along with other presentations on GitHub github.com/alex996/presentations/blob/master/express-session.md
For people who are watching this video : at 20:10 in the newest versions of Express, body-parser package is now built-in in Express. All you need to do is use it as a middleware like this : app.use(express.json()) and app.use(express.urlencoded({extended: true})) Thanks for the video!
At first I was like "wow dude this guy is way too fast", but after watching a lot of many other tutorials I realized yours are actually the best ones, straight to the point, while most of the others just do a 2 hours video for something that could've been explained in 30. I surely can't fully understand this in 40 minutes, but I sure can pause the video and/or rewatch all the parts I didn't get at first and I'll know that I won't waste time since there's no dead moment Great job and thank you :^D
Also, we can chain our routes if the have the same path like, "/login". Example: app.route("/login") .get(function (req, res) { res.send('Login page"') }) .post(function (req, res) { res.send('post login') });
A BIG THANK YOU for the level of detail and simplicity of this authentication tutorial, it has cleared my confusion on this topic as to when does the client know the user is still connected, or how the session is checked and validated! I've honestly seen this video and watched it on 1.5x before and I didn't get the pointers, so I watched a few more videos on the same topic but got really confused because there's no clear explanation how they validate the session data, how logging in and out works when the session is created/destroyed or how the server uses the session to determine the current user! So I finally watched your video on normal speed, and got the ideas right! I know how JWT authentication works already, it works on the payload, but this session authentication using express has eluded me, so thanks again!
Great job Alex. Really useful. I was doing well until around 30:00. It got over my head afterwards. But I discovered your new Authentication/Authorization series and will be going those for sure. Thanks for getting me up and going in a very short time. Cheers.
Thank you for this video. This is a great tutorial, I could learn, understand, and now I'm going to try to implement all the 'to dos' by myself. Even today, almost 3 years later, It is not so common to find content abou session auth (JWT all over the place), let alone a so well produced material, so congratulations and thank you again.
Thank you so much alex. From last 3 days i was trying to learn how to implement session based authentication and i failed but from this video, I learned it easily.
2:44 express-session [options], cookie and process.env configuration 11:57 authentication/routes 14:35 render HTML elements based on authentication 15:33 pseudo database 20:57 protected routes/middleware 23:45 very simple login validation 25:37 very simple registration validation 28:37 logout 30:14 res.locals middleware 32:56 persist sessions 33:49 cookie extension 38:31 final steps for production
Coming from perhaps the absolute beginner in Node, thank you. I not only understood the basics of session management, you helped me improve my workflow as well. Currently trying to adapt this with your suggestions (database, validation, hashing...). Running into issues, but I'm confident I'll crack it soon. I'm grateful. Have a sub.
Hey there! I have to give you a huge thumbs up! This is one of the best tutorials I have ever watched! Everything you said made sense and you didn't speak to hear yourself talk. You got straight to the point and everything was clear and concise. Thank you! I liked and subscribed and will be watching more of your videos. Once again...GREAT JOB! Wish others made excellent tutorials like this one. Take care, Lee
Bro u r seriously amazing. This is the first video I have watched of urs and I am a fan of ur to the point videos with all the minor explanations as well. Btw I watched at 1.5x speed 😂. Perfect
Hey I'm french and I watched your video , which helped me a lot for my backend school project... You speak a little to fast but I understood almost everything I needed to haha. thanks!
At first I thought... damn!! dude has no chills at all, then with the little humour at around16:10 I was like, whew! he's human after all :) great video
Even though I define my req.session.userId = user.id, and can console.log in the same page it works.. But printing req.session.userId anywhere else doesnt work, it returns undefined.. not really finding any good solutions online, I must have missed something?
RICARD, QUE GUAPO DEJAR A ESTE CHAVAL ENSEÑARNOS LO QUE TU DEBERÍAS EH, TA WAPA LA FAENA DE PROFE DEL CHILL HACIENDO TUS OTROS TRABAJOS EN VEZ DE ENSEÑARNOS EHHH. Np, te quiero
Checking only if a session is present rather than verifying it, wouldn't it allow people to access /home with any random value set as session id? [21:37]
The session ID will only be present on req.session if the session was successfully loaded by express-session. If they try sending in a bogus session ID cookie, the session won't be found (in redis, mongodb, etc.).
for your login route at 25:21 why does the response need a return, then if your login fails it just sends a regular response? when I tried it without the return it gave me an error, but with the return, it works just fine.
You don't want it to flow through and attempt a second redirect. When you preface line 121 with a return, the function (route handler) will exit and never leave the if condition.
26:45 How do you know that if(!exists) will execute after your line 132 const exists = users.some(...) ? I know JavaScript is asynchronous and this type of stuff trips me up
Hey, I would like to clarify some doubts. If the maxAge is set to a timethen wouldn't the cookie be deleted by the browser even though there is user activity? Wouldn't that affect user experience? Is there some kind of best practice?
express-session has a rolling option to extend the expiry date on subsequent requests. You may want to be careful so as not to extend it indefinitely though; that's where the absolute timeout comes in
Wow. Perfect. A way to create a register, login, session and logout in 1 video. Just what I needed. I looked at your presentations on github and you go into detail on how to use redis to store a session ID. Any chance you can give a quick explanation on how to store the session ID on mongoDB? Thanks
Thank you so much for this video....let say if i save token in cookie at client shall i need to manually send it along with header OR it will be auto sent if i stored in cookie..?
@@muktesh_gautam totally understandable. But I guess in my case I shouldn't do that as I'm sending an email verification to verify that the user's email is valid :D
Very nice tutorial, thanks a lot, i have question when does the cookie is attached with request object like when you do req.session.userId = user.id, what happens is you are setting a property for req.session is this line make the cookie sid(session id which is a big string as you explained) to be set on the document.cookie
document.cookie gives you access to non-HttpOnly cookies (i.e. those visible to JS). The cookie header itself is set by express-session shortly before the response is set out. That's what the middleware does when you mount it to the Express (app) instance.
Hi, good work doing this video : Had one question : Could the user "create" a cookie named "userId" containing a random value and be redirected to /home without having to login, since we are only checking the presence of req.session.userId , could this be a potential abuse ? (since user can send whatever they went through request right ?)
What I suggest in this case is to validate the userId with our database (here the array). But could be heavy to do so on every request so I don't know..
This was really helpful! FYI, the custom middleware redirectLogin wasn't working me for some reason. I had to use the hasOwnProperty method: const redirectLogin = function(req, res, next) { if (!req.session.hasOwnProperty.call(req.session, 'userId')) { return res.redirect('/account/login'); } next(); };
How do you check the sessionID sent from the client againat the sessionID in store ? You mentioned this as middleware necessary in your introduction video on web authentication
@@CodeRealm I was confused by the fact that the user is making the request to React and React is making the request to the Express API, but I think I just had an "Aha!" moment, that the call to the Express API is actually coming from the client browser, so the session management should work seamlessly. Correct?
Exactly. The session cookie is attached to the request by the browser when you use fetch() or XMLHttpRequest. Whether the call is carried out within a handler in React, Angular or other has no bearing.
I am not able to find a good documentation to explain how the syntax const { PORT = 3000 } = process.env works. I know how it works semantically. But not able to understand how javascript supports this. What you are saying is if process.env has a member PORT then override PORT with that value or default it to 3000. But PORT is declared as a const and process.env is an associate array aka an object. How does js understands to convert this with this succint syntax ? Also instead of just a constant I want to create an object which I can export outside, how to do that ?
You destructure PORT out of process.env object and assign a default argument in case it's undefined (i.e. either the property doesn't exist or it's intentionally set to undefined, most likely the former). You can export it by writing the export keyword in front.
Hi, tutorial is awesome as always. One question: What if I have a react application and want to authenticate to the /login route using axios? I would send a post request to the /login route with the email and password in the body right? Then I get a response from the server including the cookie, right? And this cookie is somehow stored somewhere in browser? Or do i have to store the token in the application's state and send it as header for following requests? After I'm authenticated and I want to fetch, let's say some posts from the server with /posts, I have to include the cookie in the headers? Another one: We created a lifespan of 2 hours. What is when these 2 hours passes. I have to login again on the client side, right? Last one: In which part of the code does the server check if the client's cookie is valid? We just look if the user was found in the mock db and then attach an id property to the request object? So the user get's authenticated just with that id prop in the cookie? Sorry long time that something was soo complicated to me :D Maybe you can guide me into the right direction. Looked up other videos too but I'm not getting it :D Awesome stuff man :)
Once the browser receives a 200 OK with a Set-Cookie header, it will take care of storing the cookie. You can track it with JS via document.cookie or if it's HttpOnly, using a browser extension like EditThisCookie. Once stored in the browser, the cookie is automatically sent along with each request via the Cookie header. Once the cookie expires, the browser deletes it, and it's no longer sent to the server, so the user has to re-login. This is where you need to play with expiry time, as 2 hours might be too short. Alternatively, when the client makes calls to the API, you could extend their session, optionally checking if it's about to expire soon. "Soon" can be a slippery slope though. So, the question really becomes, how far in time would you allow to stretch the session, and how often can it be extended? Because a bot could log in to the system and continuously ping the server, thereby indefinitely extending its session lifetime. API throttling becomes a must in that case. The cookie is validated by express-session middleware. Once applied to an Express instance, it will inspect each incoming request for a session cookie. If present, the cookie is verified with a secret, and its ID is matched against the session store. If a match is found, the library injects the session object in req, including all data that was stored in it. So, following this video, you could do for ex.: req.session.userId. If a session is matched, you'll get a valid ID, but if it couldn't be found, you'll get undefined. That's how you know if they're still logged in. If you use connect-redis, sessions are stored using SETEX, meaning they auto-expire after maxAge. So, if the user tries the same cookie after it's expired (via cURL for example), the session simply won't be found, as it will have been deleted from the cache by that time. In other words, you'll get undefined for req.session.userId. This is true for external session stores, like connect-redis, connect-pg-simple, etc., i.e. the ones you'd use in a real site. The default in-memory store seems to auto-extend session expiry date on repeated requests to the server... Don't use it in production! Not at all, I loved your questions, Dominik! I'd also suggest you check out the Auth video ruclips.net/video/2PPSXonhIck/видео.html especially the first part about sessions and cookies. Hope this brief essay helps, lol. Cheers! Alex
@@CodeRealm Hi Alex. Thank you so much for the detailed explanation on this topic. I get it now. I also testet around with postman and a client with axios. I fully understand it now and I'm now feeling that I have more control over my auth flow comparing it to passport (where passport does everything for me). I already watched the tutorial it's awesome as ever. I also starred the github repo with the documents. Thx Dom
@@benogidan For Postman, you'd need the interceptor, so as to share the browser cookies. You could install it as an add-on extension in the past, but now that they migrated to a desktop app, I'm not sure if it was ever re-developed. Last time I checked (2017-ish?) it still wasn't out. On the client, you can use EditThisCookie
Actually, you might not need the interceptor, now that I think about it. As long as you attach the "Cookie" header with the session ID from the server, you'd be able to authenticate.
Hey guys, it's Alex again. I know the config for express-session can feel a bit daunting at first (I had to read through very carefully myself), so I created a reference guide that explains each option in detail. You can find it along with other presentations on GitHub github.com/alex996/presentations/blob/master/express-session.md
please if i may ask ,which algorithm used to hash session ID sent in the cookie?
@@medi7573 HMAC SHA256 github.com/tj/node-cookie-signature/blob/4496ae0795ef0fb6303184e1f44370546663e2e4/index.js#L20
Thank you. It is really daunting.
The way the documentation of express-session is written assumed that readers already know a pretty big deal.
my app works fine on localhost but it doesn't login when i deploy it to heroku. Any help?
Thank you so much
For people who are watching this video : at 20:10 in the newest versions of Express, body-parser package is now built-in in Express. All you need to do is use it as a middleware like this : app.use(express.json()) and app.use(express.urlencoded({extended: true}))
Thanks for the video!
At first I was like "wow dude this guy is way too fast", but after watching a lot of many other tutorials I realized yours are actually the best ones, straight to the point, while most of the others just do a 2 hours video for something that could've been explained in 30.
I surely can't fully understand this in 40 minutes, but I sure can pause the video and/or rewatch all the parts I didn't get at first and I'll know that I won't waste time since there's no dead moment
Great job and thank you :^D
yeah this video is still sol relevant and to the point
A year and a half later and this is still *the best* express-session tutorial. By far! Thank you for this Alex!
This channel is probably the best thing I found on the internet
Cute
Also, we can chain our routes if the have the same path like, "/login". Example:
app.route("/login")
.get(function (req, res) {
res.send('Login page"')
})
.post(function (req, res) {
res.send('post login')
});
Didn't know that, nice
I made a ridiculous amount of progress just from a few of your videos! My latest commit is the biggest I've ever made! Keep it up, and thank you!
A BIG THANK YOU for the level of detail and simplicity of this authentication tutorial, it has cleared my confusion on this topic as to when does the client know the user is still connected, or how the session is checked and validated! I've honestly seen this video and watched it on 1.5x before and I didn't get the pointers, so I watched a few more videos on the same topic but got really confused because there's no clear explanation how they validate the session data, how logging in and out works when the session is created/destroyed or how the server uses the session to determine the current user! So I finally watched your video on normal speed, and got the ideas right! I know how JWT authentication works already, it works on the payload, but this session authentication using express has eluded me, so thanks again!
Great job Alex. Really useful. I was doing well until around 30:00. It got over my head afterwards. But I discovered your new Authentication/Authorization series and will be going those for sure. Thanks for getting me up and going in a very short time. Cheers.
Thank you for this video. This is a great tutorial, I could learn, understand, and now I'm going to try to implement all the 'to dos' by myself.
Even today, almost 3 years later, It is not so common to find content abou session auth (JWT all over the place), let alone a so well produced material, so congratulations and thank you again.
Thank you so much alex. From last 3 days i was trying to learn how to implement session based authentication and i failed but from this video, I learned it easily.
tried many tutorials for authentication.This is by far the best explaination I have listened to.Cheers :)
Saved my life. So many hours and days of struggles and finally I have solved my problem thanks to you! Keep up the good work!
This is the best video on NodeJS authentication I have seen. Thanks
2:44 express-session [options], cookie and process.env configuration
11:57 authentication/routes
14:35 render HTML elements based on authentication
15:33 pseudo database
20:57 protected routes/middleware
23:45 very simple login validation
25:37 very simple registration validation
28:37 logout
30:14 res.locals middleware
32:56 persist sessions
33:49 cookie extension
38:31 final steps for production
Simple, clean and quality voice == best tutorial
This video has been so useful to me that I wish I could 'like' it many times. I've checked it three times already as a refresher. Thank you, Alex. 👍
I'm still in the middle of this.. but this is way too good so far. It's clear, concise and to the point. Thanks for your time buddy!
Thank you BRO! From Russia with love
Coming from perhaps the absolute beginner in Node, thank you. I not only understood the basics of session management, you helped me improve my workflow as well. Currently trying to adapt this with your suggestions (database, validation, hashing...). Running into issues, but I'm confident I'll crack it soon. I'm grateful. Have a sub.
Hey there! I have to give you a huge thumbs up! This is one of the best tutorials I have ever watched! Everything you said made sense and you didn't speak to hear yourself talk. You got straight to the point and everything was clear and concise. Thank you! I liked and subscribed and will be watching more of your videos. Once again...GREAT JOB! Wish others made excellent tutorials like this one. Take care, Lee
Bro u r seriously amazing. This is the first video I have watched of urs and I am a fan of ur to the point videos with all the minor explanations as well.
Btw I watched at 1.5x speed 😂. Perfect
I liked this tutorial. Best among youtube videos I watched to meet my session management requiremnent with Node.js
Wow u have even written everything in the comments on the notes too. That is really awesome.
RUclips clearly works for the sake of this channel.
Thanks for this tutorial. Completely clear of express-session
Many many thanks for this tutorial. Ofcourse I understood the principle of cookies but never knew how to use it in my requests. Thanks!
Sir i didn't get why you use redirectHome into login POST request?
You are so knowledgeable. I've leant quite a few useful things that I didn't know.
Thank you for this amazing series....🤗👍👍
Sir i didn't get why you use redirectHome into login POST request?
Omg Struggled for so many days and now it's clear!
Great tutorial!! You explained it so clear and simple! Thanks!
Very good explanation. I'm doing this for the first time and it makes complete sense
love the pace, love the clear language. thank you !! :D
Hey I'm french and I watched your video , which helped me a lot for my backend school project... You speak a little to fast but I understood almost everything I needed to haha. thanks!
Absolutely the best Alex, no doubts. I own you a lot
How do I give this video 10 thumbs up?
It deserves it.
From one random guy to another, Thank you. :)
This is the best tutorial out there.
Great tutorial , Thanks buddy!
Sir i didn't get why you use redirectHome into login POST request?
Exactly what i was looking for. Thanks Alex. Love from India
Thanks man! This is exactly what i looking for. Nice work!
On my recommended, Im so glad I clicked it lol
Sub!!!
At first I thought... damn!! dude has no chills at all, then with the little humour at around16:10 I was like, whew! he's human after all :) great video
thank you so much you don't know how much this helped
Even though I define my req.session.userId = user.id, and can console.log in the same page it works..
But printing req.session.userId anywhere else doesnt work, it returns undefined..
not really finding any good solutions online, I must have missed something?
RICARD, QUE GUAPO DEJAR A ESTE CHAVAL ENSEÑARNOS LO QUE TU DEBERÍAS EH, TA WAPA LA FAENA DE PROFE DEL CHILL HACIENDO TUS OTROS TRABAJOS EN VEZ DE ENSEÑARNOS EHHH.
Np, te quiero
Happy new year dood!
really helpful i learn a lot today....kep it up...thanks
you are one of the best Sire! Thanks a very lot!
Checking only if a session is present rather than verifying it, wouldn't it allow people to access /home with any random value set as session id? [21:37]
The session ID will only be present on req.session if the session was successfully loaded by express-session. If they try sending in a bogus session ID cookie, the session won't be found (in redis, mongodb, etc.).
Thumbs up, you are a real prodigy!
I have gotten to the part at 15:00 . my req.session is undefined. Any advice?
did you fix it?
@@emilgebl8644 I believe it was an issue with either cookies or local host
@@colin3217 Oh, well I removed the cookie part and then it worked. Maybe that its cookie using on localhost?
@@emilgebl8644 yeah cookies dont work on local host
This was super helpful. Thanks you very much.
That's a really nice tutorial. Impressed !
Wow you explain very well! thanks
for your login route at 25:21 why does the response need a return, then if your login fails it just sends a regular response? when I tried it without the return it gave me an error, but with the return, it works just fine.
You don't want it to flow through and attempt a second redirect. When you preface line 121 with a return, the function (route handler) will exit and never leave the if condition.
quick and best explained tutorial.
thank you for sharing how session express works.
You are the realm the real teacher, thank you!
26:45 How do you know that if(!exists) will execute after your line 132 const exists = users.some(...) ? I know JavaScript is asynchronous and this type of stuff trips me up
Array.prototype.some method is syncronous. You don't need to tack on a .then() or preface it with await; that's only the case for async calls.
I am a simple person. See UBUNTU press like.
Great tutorial.
Hey, I would like to clarify some doubts. If the maxAge is set to a timethen wouldn't the cookie be deleted by the browser even though there is user activity? Wouldn't that affect user experience? Is there some kind of best practice?
express-session has a rolling option to extend the expiry date on subsequent requests. You may want to be careful so as not to extend it indefinitely though; that's where the absolute timeout comes in
Wow. Perfect. A way to create a register, login, session and logout in 1 video. Just what I needed.
I looked at your presentations on github and you go into detail on how to use redis to store a session ID. Any chance you can give a quick explanation on how to store the session ID on mongoDB? Thanks
So glad I found this video
Thanks, Alex, that was amazing!!!!!!!!!!
Thank you so much for this video....let say if i save token in cookie at client shall i need to manually send it along with header OR it will be auto sent if i stored in cookie..?
awesome tutorial. Thank you so much
Amazing tutorial 🤩
You explained this really well, thank you.
What this comment is going to do is this comment will appreciate your hard work.
Super useful. Thanks :)
Exactly that i was looking for..Thank you so much
Great tutorial on authentication.
Great video! Is there a copy of the code available anywhere?
thank u so much, I really benefitted after sean this video
Great tutorial, but I have a question. Why do you create a session ID on register? Isn't something you should do only when the user logs in?
When you register you are being logged in as well, so that after registering you dont have to go /login and give credentials there also!
@@muktesh_gautam totally understandable. But I guess in my case I shouldn't do that as I'm sending an email verification to verify that the user's email is valid :D
@@renaano haha yes, you should direct that user to some other page then, well i yet have discover that side of authentication! : )
I didn't get why you use redirectHome into login POST request?
Very informative, thanks!
You Motivate ME .... Thanks man --->
Great explanation , thank you !
Hello Alex! Find function in the /login post method is not working in my piece of code! Can you please help?
Great, very clear explanation!
Very nice tutorial, thanks a lot, i have question when does the cookie is attached with request object like when you do req.session.userId = user.id, what happens is you are setting a property for req.session is this line make the cookie sid(session id which is a big string as you explained) to be set on the document.cookie
document.cookie gives you access to non-HttpOnly cookies (i.e. those visible to JS). The cookie header itself is set by express-session shortly before the response is set out. That's what the middleware does when you mount it to the Express (app) instance.
Hi, good work doing this video :
Had one question :
Could the user "create" a cookie named "userId" containing a random value and be redirected to /home without having to login, since we are only checking the presence of req.session.userId , could this be a potential abuse ? (since user can send whatever they went through request right ?)
What I suggest in this case is to validate the userId with our database (here the array). But could be heavy to do so on every request so I don't know..
hi, This was a great training. Thank
Great Tutorial Man :)
you have really great knowledge
this is an amazing tutorial!
This was really helpful! FYI, the custom middleware redirectLogin wasn't working me for some reason. I had to use the hasOwnProperty method:
const redirectLogin = function(req, res, next) {
if (!req.session.hasOwnProperty.call(req.session, 'userId')) {
return res.redirect('/account/login');
}
next();
};
How do you check the sessionID sent from the client againat the sessionID in store ? You mentioned this as middleware necessary in your introduction video on web authentication
express-session _is_ the middleware that does this check among other things.
Amazing job man!
Is it possible to use this method if I'm using a React front end that's communicating with an Express API?
Sure, why not.
@@CodeRealm I was confused by the fact that the user is making the request to React and React is making the request to the Express API, but I think I just had an "Aha!" moment, that the call to the Express API is actually coming from the client browser, so the session management should work seamlessly. Correct?
Exactly. The session cookie is attached to the request by the browser when you use fetch() or XMLHttpRequest. Whether the call is carried out within a handler in React, Angular or other has no bearing.
I am not able to find a good documentation to explain how the syntax const { PORT = 3000 } = process.env works. I know how it works semantically. But not able to understand how javascript supports this. What you are saying is if process.env has a member PORT then override PORT with that value or default it to 3000. But PORT is declared as a const and process.env is an associate array aka an object. How does js understands to convert this with this succint syntax ? Also instead of just a constant I want to create an object which I can export outside, how to do that ?
You destructure PORT out of process.env object and assign a default argument in case it's undefined (i.e. either the property doesn't exist or it's intentionally set to undefined, most likely the former). You can export it by writing the export keyword in front.
Thank you this was helpful
Thank you for this very useful one!
Continue watching at: 21:06
Hi, tutorial is awesome as always. One question:
What if I have a react application and want to authenticate to the /login route using axios?
I would send a post request to the /login route with the email and password in the body right?
Then I get a response from the server including the cookie, right? And this cookie is somehow stored somewhere in browser? Or do i have to store the token in the application's state and send it as header for following requests?
After I'm authenticated and I want to fetch, let's say some posts from the server with /posts, I have to include the cookie in the headers?
Another one:
We created a lifespan of 2 hours. What is when these 2 hours passes. I have to login again on the client side, right?
Last one:
In which part of the code does the server check if the client's cookie is valid? We just look if the user was found in the mock db and then attach an id property to the request object? So the user get's authenticated just with that id prop in the cookie? Sorry long time that something was soo complicated to me :D Maybe you can guide me into the right direction. Looked up other videos too but I'm not getting it :D
Awesome stuff man :)
Once the browser receives a 200 OK with a Set-Cookie header, it will take care of storing the cookie. You can track it with JS via document.cookie or if it's HttpOnly, using a browser extension like EditThisCookie. Once stored in the browser, the cookie is automatically sent along with each request via the Cookie header.
Once the cookie expires, the browser deletes it, and it's no longer sent to the server, so the user has to re-login. This is where you need to play with expiry time, as 2 hours might be too short. Alternatively, when the client makes calls to the API, you could extend their session, optionally checking if it's about to expire soon. "Soon" can be a slippery slope though. So, the question really becomes, how far in time would you allow to stretch the session, and how often can it be extended? Because a bot could log in to the system and continuously ping the server, thereby indefinitely extending its session lifetime. API throttling becomes a must in that case.
The cookie is validated by express-session middleware. Once applied to an Express instance, it will inspect each incoming request for a session cookie. If present, the cookie is verified with a secret, and its ID is matched against the session store. If a match is found, the library injects the session object in req, including all data that was stored in it. So, following this video, you could do for ex.: req.session.userId. If a session is matched, you'll get a valid ID, but if it couldn't be found, you'll get undefined. That's how you know if they're still logged in.
If you use connect-redis, sessions are stored using SETEX, meaning they auto-expire after maxAge. So, if the user tries the same cookie after it's expired (via cURL for example), the session simply won't be found, as it will have been deleted from the cache by that time. In other words, you'll get undefined for req.session.userId. This is true for external session stores, like connect-redis, connect-pg-simple, etc., i.e. the ones you'd use in a real site. The default in-memory store seems to auto-extend session expiry date on repeated requests to the server... Don't use it in production!
Not at all, I loved your questions, Dominik! I'd also suggest you check out the Auth video ruclips.net/video/2PPSXonhIck/видео.html especially the first part about sessions and cookies. Hope this brief essay helps, lol. Cheers!
Alex
@@CodeRealm Hi Alex. Thank you so much for the detailed explanation on this topic. I get it now. I also testet around with postman and a client with axios. I fully understand it now and I'm now feeling that I have more control over my auth flow comparing it to passport (where passport does everything for me).
I already watched the tutorial it's awesome as ever. I also starred the github repo with the documents.
Thx Dom
@@CodeRealm what about for Postman requests how does that work and can you access the cookie from your client after logging in
@@benogidan For Postman, you'd need the interceptor, so as to share the browser cookies. You could install it as an add-on extension in the past, but now that they migrated to a desktop app, I'm not sure if it was ever re-developed. Last time I checked (2017-ish?) it still wasn't out. On the client, you can use EditThisCookie
Actually, you might not need the interceptor, now that I think about it. As long as you attach the "Cookie" header with the session ID from the server, you'd be able to authenticate.
thanks for the video, it helps a lot
waiting for the next tutorial!
this video was greatly comprehensive but I think if you write less code, show the output and then proceed then it will be much better...thank you!
Thank u for this awesome video and series