Home/ Questions/Q 9239755
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T08:03:41+00:00

I am writing an ExpressJS backend with User login support. From multiple examples I

  • 0

I am writing an ExpressJS backend with User login support. From multiple examples I see the use of req.session object. It seems this object is used to store and retrieve information across server and client, so the server can set a “logged” flag and later check this flag to see if the user has logged in.

My question is, how exactly does this work? How does the server store information on the client and retrieve it from every request, is it through cookies? Is it possible for a client to manually manipulate the content of this object on the client side to foil security? If it is, what is a more secure way to check user login?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I found something from the ExpressJS Google group, so a session and cookie is a bit different in ExpressJS. Basically:

    Res.cookie adds a cookie to the response; req.session is a server-side
    key/value store. Session data lives in server memory by default,
    although you can configure alternate stores.

    You can store anything you want in a session. The only thing the
    client sees is a cookie identifying the session.

    (Credit goes to Laurie Harper)

    So it seems ExpressJS is already doing what @Vahid mentioned, storing the values on the server and saves a key as a cookie on the client side. From my understanding, req.session uses its own cookie (which contains just a key), independent from req.cookie’s custom cookie.

    • 0