The latest articles on Forem by AKINTOLA STEPHEN IYANU (@akintolastephen). https://forem.com/akintolastephen https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F651094%2Fb529577e-f699-42f5-b4ba-a7a2694d0243.jpeg https://forem.com/akintolastephen en AKINTOLA STEPHEN IYANU Thu, 10 Oct 2024 11:06:52 +0000 https://forem.com/akintolastephen/session-management-in-node-js-3jd7 https://forem.com/akintolastephen/session-management-in-node-js-3jd7 <p>To explain session management in Node.js in simpler terms, imagine you're visiting a website and logging in. </p> <p>The website needs a way to remember who you are while you're browsing different pages, right? That's where sessions come in! Sessions help the website keep track of you, storing your information temporarily so it can recognize you, even after you move from one page to another.</p> <h2> What is Session Management? </h2> <p>Session management is like a system that keeps track of a user's interactions with a website. Think of it as a "memory" for the website, helping it remember you while you're logged in. Every time you visit the site, it starts a "session," and the site remembers things about you, like your name or your preferences. This session ends when you log out.</p> <h3> Setting up Session Management in Node.js </h3> <p>To manage sessions in a Node.js app, you need something called <strong>middleware</strong>—a helper that sits between the user and the server to process the requests. One of the most popular options for managing sessions in Node.js is <strong>express-session</strong>.</p> <p>Here's how you can get started:</p> <ol> <li> <strong>Install the express-session package</strong> by running: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> npm <span class="nb">install </span>express-session </code></pre> </div> <ol> <li> <strong>Set up the session middleware</strong> in your app. This is how you do it: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-session</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">session</span><span class="p">({</span> <span class="na">secret</span><span class="p">:</span> <span class="dl">'</span><span class="s1">secret-key</span><span class="dl">'</span><span class="p">,</span> <span class="na">resave</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">saveUninitialized</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}));</span> </code></pre> </div> <h3> How Sessions Work </h3> <p>When a user logs in, a unique session is created just for them. This session data is stored on the server, while a small piece of information, called a <strong>session ID</strong>, is saved in the user's browser. Every time the user makes a request (like visiting a new page), the session ID is sent back to the server to retrieve the user's session.</p> <p>Here's an example of how this looks in code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nf">isValidUser</span><span class="p">(</span><span class="nx">username</span><span class="p">,</span> <span class="nx">password</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// If the user is valid, store info in the session</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">isLoggedIn</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">username</span> <span class="o">=</span> <span class="nx">username</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">msg</span><span class="p">:</span> <span class="s2">`Redirecting to dashboard page...`</span><span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">msg</span><span class="p">:</span> <span class="s2">`User credentials not not valid`</span><span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>In this example, once the user logs in, the session stores their <code>isLoggedIn</code> status and <code>username</code>.</p> <h3> Session Expiration </h3> <p>Sessions don’t last forever. After a while, the session should expire for security reasons. You can control how long a session lasts by setting an expiration time. Here’s how you can make a session expire after 1 minute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">session</span><span class="p">({</span> <span class="na">secret</span><span class="p">:</span> <span class="dl">'</span><span class="s1">secret-key</span><span class="dl">'</span><span class="p">,</span> <span class="na">resave</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">saveUninitialized</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">cookie</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">60000</span> <span class="p">}</span> <span class="c1">// Session expires after 60 seconds</span> <span class="p">}));</span> </code></pre> </div> <h3> Logging Out and Destroying the Session </h3> <p>When a user logs out, you want to destroy their session so the website no longer remembers them. Here’s how you can do that:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/logout</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nf">destroy</span><span class="p">((</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">msg</span><span class="p">:</span> <span class="s2">`Successfully logged out...`</span><span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h3> Retrieving Session Data </h3> <p>If you want to use the session information, like displaying the username on a dashboard, you can easily retrieve it like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">isLoggedIn</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">isLoggedIn</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">username</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">username</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">isLoggedIn</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">msg</span><span class="p">:</span><span class="s2">`Successfully logged in`</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">username</span> <span class="p">}});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">msg</span><span class="p">:</span> <span class="s2">`Log in not successful`</span> <span class="na">data</span><span class="p">:</span> <span class="nx">username</span> <span class="p">?</span> <span class="nx">username</span><span class="p">:</span> <span class="dl">""</span><span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h3> Keeping Sessions Secure </h3> <p>Lastly, it’s important to keep session data safe. You can do this by:</p> <ul> <li>Using secure cookies (cookies that are only sent over HTTPS).</li> <li>Encrypting session data.</li> <li>Always using strong secret keys.</li> </ul> <h3> Summary </h3> <p>In simple terms, sessions help websites remember who you are while you’re logged in. In a Node.js app, we use middleware like <strong>express-session</strong> to manage these sessions, store user data, set expiration times, and secure the session information. This ensures that the site is efficient and secure for users while managing their sessions.</p> session node backenddevelopment javascript