Skip to content

Express Sessions

New Course Coming Soon:

Get Really Good at Git

How to use sessions to identify users across requests

By default Express requests are sequential and no request can be linked to each other. There is no way to know if this request comes from a client that already performed a request previously.

Users cannot be identified unless using some kind of mechanism that makes it possible.

That’s what sessions are.

When implemented, every user of your API or website will be assigned a unique session, and this allows you to store the user state.

We’ll use the express-session module, which is maintained by the Express team.

You can install it using

npm install express-session

and once you’re done, you can instantiate it in your application with

const session = require('express-session')

This is a middleware, so you install it in Express using

const express = require('express')
const session = require('express-session')

const app = express()
app.use(session({
  'secret': '343ji43j4n3jn4jk3n'
}))

After this is done, all the requests to the app routes are now using sessions.

secret is the only required parameter, but there are many more you can use. It should be a randomly unique string for your application.

The session is attached to the request, so you can access it using req.session here:

app.get('/', (req, res, next) => {
  // req.session
}

This object can be used to get data out of the session, and also to set data:

req.session.name = 'Flavio'
console.log(req.session.name) // 'Flavio'

This data is serialized as JSON when stored, so you are safe to use nested objects.

You can use sessions to communicate data to middleware that’s executed later, or to retrieve it later on, on subsequent requests.

Where is the session data stored? It depends on how you set up the express-session module.

It can store session data in

There is a big list of 3rd packages that implement a wide variety of different compatible caching stores in https://github.com/expressjs/session

All solutions store the session id in a cookie, and keep the data server-side. The client will receive the session id in a cookie, and will send it along with every HTTP request.

We’ll reference that server-side to associate the session id with the data stored locally.

Memory is the default, it requires no special setup on your part, it’s the simplest thing but it’s meant only for development purposes.

The best choice is a memory cache like Redis, for which you need to setup its own infrastructure.

Another popular package to manage sessions in Express is cookie-session, which has a big difference: it stores data client-side in the cookie. I do not recommend doing that because storing data in cookies means that it’s stored client-side, and sent back and forth in every single request made by the user. It’s also limited in size, as it can only store 4 kilobytes of data. Cookies also need to be secured, but by default they are not, since secure Cookies are possible on HTTPS sites and you need to configure them if you have proxies.

Are you intimidated by Git? Can’t figure out merge vs rebase? Are you afraid of screwing up something any time you have to do something in Git? Do you rely on ChatGPT or random people’s answer on StackOverflow to fix your problems? Your coworkers are tired of explaining Git to you all the time? Git is something we all need to use, but few of us really master it. I created this course to improve your Git (and GitHub) knowledge at a radical level. A course that helps you feel less frustrated with Git. Launching Summer 2024. Join the waiting list!
→ Get my Express.js Handbook
→ Read my Express.js Tutorial on The Valley of Code

Here is how can I help you: